Account registration - input data validation, fake account with phishing data, API access protection, spam emails #15031
Description
Preconditions
-
any magento version allows to enter gibberish into registration form!
- name can be anything, html, javascript, any crap.
- usually bots create accounts with advertising or even phishing data.
-
example
firstandlastnameregistration from bot:
☏ Иван - Позвоните нам немедленно: 495-8-375-xxxx. для получения вашего бонуса!!! €€€€€
☏ David - Please call us immediately at: 495-8-375-xxxx. To get your bonus!!! €€€€€
Равшан->%��ed>��$'��ؙ�NX���
Никита->�Oa�p�d��W�p�;9�6�\�z���hʸ�>����Ev(�:���\}�N������{"9��BG�AY���
MlZ�;�Vy�Dz�w��]8��m�g�zcO��>w��@�f`����Ɔ3�L.v�>��بǂ��S�v��C��b
Оксана->e<s���ʡ>�������%J`ɫL�U��s�M��!g��"�����ӡ����Y�y�/,9�'��'��˗Q�u��J/�2 ]1N�B6�5�������C�j�u�䆗�'�p��=���J��i=_�D�� ���_��5s�i.d�����7���cd�]�R4Q淓�=`�V��CX�L���g���P�=�TF��^
Является наилучшим методом для данного момента ☺ http://KHAYRYYC.comА сейчас нам нужно взять от них компонеты http://KHAYRYYC.ru
Иван Валерьевич Бондаренко http://9JpJyTOH.comКондратий Павлович Шульц http://9JpJyTOH.ru
⚐ Анечка->https://drive.google.com/file/d/0B2NsK5-axAtWdE9hVm1EZmxZTlk/preview
⚐ Света->https://drive.google.com/file/d/0B2NsK5-axAtWaFBOY2laR252Z2s/preview
Steps to reproduce
- create POST request with any gibberish data into account registration form.
Expected result
- html, javascript, code, links, emails, etc must be denied at form validation before submit.
- return error or ban submitter for 5/30/120 minutes on repeated errors.
- captcha must be enabled by default!
4. input length is 256 characters is too much - must be at least 20.
Actual result
- fake account registered and magento sends welcome email or newsletter email with advertising or phishing.
- email goes to spam folder, users report email as spam.
- email blacklisted.
- email reputation goes down.
- shop reputation goes down!