Pay attention to such of bots

[addison74]

In the last 2 days from this IP address 45.227.253.6 all my stores on the newsletter subscription form were attacked. Fortunately, HoneySpam extension did its duty at one point, but the bot managed to bypass the protections for a while (HoneySpam log is huge as size). The GET requests were around 2 - 3/second.

Here are some of the footprints left:

45.227.253.6 - - [11/Oct/2022:15:25:12 +0300] "GET /newsletter/subscriber/new/?form_key=fqWawqXbeZR5RjUi%20AND%201493%3D1493&required_field=1&email=1 HTTP/1.1" 302 702 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532.2 (KHTML, like Gecko) Chrome/4.0.223.2 Safari/532.2"

45.227.253.6 - - [11/Oct/2022:15:30:49 +0300] "GET /newsletter/subscriber/new/?form_key=fqWawqXbeZR5RjUi&required_field=1&email=1%25%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%23 HTTP/1.1" 302 702 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532.2 (KHTML, like Gecko) Chrome/4.0.223.2 Safari/532.2"

45.227.253.6 - - [11/Oct/2022:15:29:25 +0300] "GET /newsletter/subscriber/new/?form_key=fqWawqXbeZR5RjUi&required_field=1&email=1%20AND%208343%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28118%29%7C%7CCHR%28118%29%7C%7CCHR%28120%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%288343%3D8343%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%2898%29%7C%7CCHR%28106%29%7C%7CCHR%28118%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29--%20WDsq HTTP/1.1" 302 702 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532.2 (KHTML, like Gecko) Chrome/4.0.223.2 Safari/532.2"

I blocked the whole range of IP's 45.227.253.0/24. The attack came directly to the controller. In one of the servers it added over 9000 lines into the log file, but fortunately the newsletter_subscriber table has no record added by this bot, mainly due to the protection measures taken over the years. As you may see, it bypassed the form key, the mandatory fields and finally it was automatically caught in the firewall by Fail2Ban based on HoneySpam log. If the protections had not been implemented the database table would flood.

What seems interesting to me is that we recently implemented the idea of Form Keys for the newsletter subscription form, which does not exist in Magento. The one who created the bot reads our PR's, but I assure him that he won't surprise me a second time.

[elidrissidev]

The subscribe action only accepts POST requests so these requests will just end up redirecting back, but the fact that they include the form_key is well, scary.

[addison74]

They are not scary, but they take time to prevent them. It is obviously an attack against an OpenMage installation. We added the form_key value to the contact and newsletter forms recently, one is not yet merged. I don't think he had any luck as long as those form_key values were fake.

For me it was very useful that these failed attempts were recorded in the exception file. I will check if you did something like that in the proposed PR. After we make it merged, we will also have to modify the one on the contact form.

[elidrissidev]

I have a feeling that the form_key is not fake, the value sent with the request is 16 characters long, the same as the one generated by Magento. Maybe the bot scraped the page prior to sending the request.

[kiatng]

The emails submitted are:

email=1

email=1%25%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%23
decoded: 1%' UNION ALL SELECT NULL,NULL,NULL#

email=1%20AND%208343%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28118%29%7C%7CCHR%28118%29%7C%7CCHR%28120%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%288343%3D8343%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%2898%29%7C%7CCHR%28106%29%7C%7CCHR%28118%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29--%20WDsq
decoded: 1 AND 8343=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (8343=8343) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(106)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL)-- WDsq

Ref

magento-lts/app/code/core/Mage/Newsletter/controllers/SubscriberController.php

Lines 52 to 54 in ee46ff9

	if (!Zend_Validate::is($email, 'EmailAddress')) {
	Mage::throwException($this->__('Please enter a valid email address.'));
	}

The above check on email would block the subscription regardless of form_key. I do not think the attacks are targeting OM. I agree with @elidrissidev , I think it's just scraping form_key.

[addison74]

This issue was fixed in OpenMage.