Vendor Registration Spam - Drive Thru Online - Support

psychobike · #1 (**permalink**) 03-15-2011, 11:33 AM

Ok so before we open up each file in the DTO Vendor Tools vBulletin Product and research it's code, I would like to see if we can get some support help.

Can someone please explain how is it possible for anyone to register in the Vendor Registration when it is disabled in the Settings?

Since installing DTO Vendor Tools on day one, we have had the "Enable Vendor Registration" setting in the admincp disabled. With this setting disabled, there is nothing displayed in the public area that shows a possible way for a Vendor to register. The option for a vendor to register Does Not Appear in the dropdown tab located on the NavBar.

However, for a unexplained reason, we have a same group of what I call spam which has the ability to fill out the Vendor Registration request form(which keep in mind we have disabled and does not appear anywhere as a possible option to register). If the option to register does not appear, how is anyone still able to register? It's almost like there is something hidden in the script that gives these individuals the ability to be able to register their website.

As an admin I get the confirmation email which shows a new vendor registration. I then login to DTO Vendor Tools in admincp and select Manage Vendors and sure enough there it shows the new register in the Pending Vendors section.

As it is now, this product is not safe. At this point I can only hope there is a explanation why it possible, as well as a fix/cure.

How is this possible?

Nathan · #2 (**permalink**) 03-15-2011, 11:57 AM

The switch only removes the registration page from public view. If the URL is known then one can access the URL.

Later today we'll try to put a bit of code together that will totally disable the ability to access the page.

Mark · #3 (**permalink**) 03-15-2011, 02:12 PM

I'll incorporate this code into a future release but in the meantime here are a couple of simple code changes to prevent the URLs from doing anything even if you have registration disabled:

Edit the file dto_vendor.php and search for the following:

PHP Code:


			
if ($_REQUEST['do'] == 'regproc')

change this to:

PHP Code:


			
if (($_REQUEST['do'] == 'regproc') && ($vbulletin->options['dto_vendor_register']))

in the same file search for:

PHP Code:


			
if ($_REQUEST['do'] == 'reg')

change this to:

PHP Code:


			
if (($_REQUEST['do'] == 'reg') && ($vbulletin->options['dto_vendor_register']))

Save the file and then try the following URLs:

http://yoursitehere/forums/dto_vendor.php?do=reg

http://yoursitehere/forums/dto_vendor.php?do=regproc

both should result in a white screen.

Let us know if you need any additional assistance.

Thanks!

Mark

psychobike · #4 (**permalink**) 03-15-2011, 02:15 PM

Quote:

Originally Posted by Nathan

The switch only removes the registration page from public view. If the URL is known then one can access the URL.

Later today we'll try to put a bit of code together that will totally disable the ability to access the page.

There is no doubt something needs to be done. I'm shocked you haven't had other customers complaining before now. Maybe others don't pay attention, or know the difference when they are, and are not, being used from spam bots ect.

As a customer I appreciate you putting in the time to create a patch for this issue.

psychobike · #5 (**permalink**) 03-15-2011, 02:17 PM

Thank you Mark. I will install the upgrade here very shortly.

psychobike · #6 (**permalink**) 03-15-2011, 02:55 PM

I made the changes with in the 'dto_vendor.php' file. After checking both the mentioned links below but with including my website address to them, the links both show the white page just like you said it would.

http://yoursitehere/forums/dto_vendor.php?do=reg
http://yoursitehere/forums/dto_vendor.php?do=regproc

I hope these changes put a stop to the attacks.

Thanks again, and I will be sure to return should any additional issues take place.

Mark · #7 (**permalink**) 03-15-2011, 02:58 PM

Glad to assist. If you haven't already done so be sure to upgrade/change out the form of CAPTCHA you are using in vBulletin as it was cracked a month or so ago. This has led to a lot of spam registrations for all forum owners.

Mark

psychobike · #8 (**permalink**) 03-15-2011, 03:08 PM

Quote:

Originally Posted by Mark

Glad to assist. If you haven't already done so be sure to upgrade/change out the form of CAPTCHA you are using in vBulletin as it was cracked a month or so ago. This has led to a lot of spam registrations for all forum owners.

Mark

Are you referring to switching to a different option from the Human Verification Options, or?

Nathan · #9 (**permalink**) 03-15-2011, 03:08 PM

Check out Solve Media. We've been using it on various sites for a few weeks now and it has brought the spam registrations to a stop.

Solve Media

psychobike · #10 (**permalink**) 03-15-2011, 06:58 PM

Quote:

Originally Posted by Nathan

Check out Solve Media. We've been using it on various sites for a few weeks now and it has brought the spam registrations to a stop.

Solve Media

After researching Solve Media, it looked to be promising. I installed Solve Media and I'm now looking forward to it's benefits. Thank you guys for the help and heads up!