#805 – Contact form not checking for logged in user

Joomla! version : 3.6.2
PHP version : 5.7
AdsManager version : 3.2

Hello support,

We found out that there is a vulnerability that allowed spammers to send out mails through our site using Adsmanager contact form.

Problem is that even if you configure the form to be available only to logged in user, this is not enforced if you know the direct URL to the contact form - it only removes the option/link in the ads display.

Even non logged in users can gain access to the contact form if they enter the URL directly.

Hello,

You can enable the recpatcha plugin and display it in the contact form to avoid bots sending messages.

For the human spammer, I will add a condition that will display an error message if the user is not logged in and that option is enabled.

I come back to you quickly.

Best regards.

Thanks loic, should be easy to fix. I actually did it but at the moment it is just a quick and dirty hack.

Hello,

here is the definitive fix.

Open the file components/com_adsmanager/views/message/view.html.php and add this at the line 14:

require_once(JPATH_ROOT.'/components/com_adsmanager/lib/tpermissions.php');

To have that:

jimport('joomla.application.component.view');

require_once(JPATH_BASE."/components/com_adsmanager/helpers/field.php");
require_once(JPATH_ROOT.'/components/com_adsmanager/lib/tpermissions.php');

After that, locate the line 24 :

$app = JFactory::getApplication();

And just after, add this:

if(!TPermissions::checkRightContact()) {
    $app->redirect('index.php', JText::_('ADSMANAGER_CONTACT_NO_ACCESS_RIGHT'), 'error');
}

You can change the translation if needed.

Best regards.

Thank you very much for the quick solution!

Hello,

I close the ticket :)

Best regards.