cforms II User Forum

Registration is currently disabled.


Login form protected by Login LockDown.

Lost password?
Advanced Search

— Forum Scope —


— Match —


— Forum Options —


Wildcard usage:
*  matches any number of characters    %  matches exactly one character

Minimum search word length is 4 characters - maximum search word length is 84 characters

Topic RSS
Security Issue: Form Flooding & Solution (captcha)
December 1, 2007
2:45 pm

Please replace the ??? with your data!

  • Your URL: http://???
  • The browser used: Firefox 2
  • cforms version: 6.2
  • Your Wordpress version: 2.3.1


I have tried it on cforms 6.2 (ajax=off) , capcha on, Firefox.

After submitting the first form; if you press refresh button (or F5) browser asks you to submit post data again. If you say "OK", then it sends the form succesfully again.

By pressing refresh button (or F5), anyone can easily flood the form. In other words captcha is useless, an abuser can send you thousands of mails using a multi-threaded flooder.

If I did not misunderstood, this occurs because "lib_nonajax.php" never checks for the session variable turing_string_, it only compares some md5 sent by form.

Currently I made a simple workaround:

Open lib_nonajax.php

Search for this:

if ( $_POST['cforms_cap'.$no] <> md5(strtolower($_POST['cforms_captcha'.$no])) ) {
$validations[$i+$off] = 0;
$err = !($err)?2:$err;

Replace (or add) with the following code:

if ( $_POST['cforms_captcha'.$no] <> $_SESSION['turing_string_'.$no] ) {
$validations[$i+$off] = 0;
$err = !($err)?2:$err;

this code compares the value sent by form with the value allready in session.

Also (to prevent re-use of them) resetting session variables after a successfull send may be required (if not allready done); I'm not sure currently, I did not examined so much but I think it seems to be done…Smile

By the way, I must say that I like cforms II very much because of its configurability… Thanks goes to the author…

December 1, 2007
3:42 pm
Munich, Germany
Forum Posts: 6400
Member Since:
March 6, 2005

Nice catch! Thanks!

I'll have it fixed in v6.4. 

Forum Timezone: Europe/Berlin

Most Users Ever Online: 959

Currently Online:
50 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

tracedef: 43

mores: 21

Gyrus: 20

frozenwaste: 18

asuffredini: 15

photoworks: 14

Member Stats:

Guest Posters: 3762

Members: 1463

Moderators: 3

Admins: 2

Forum Stats:

Groups: 1

Forums: 4

Topics: 5361

Posts: 18742

Newest Members: juredujmovic, dreamkeeper, rajattyagi, wrokaa, lukass

Moderators: Paul (421), cnymike (8), sonika (95)

Administrators: Oliver (6400), Nicky (3)