Hacker News new | past | comments | ask | show | jobs | submit login

My reading of the issue is that Sendy's webform allows the external requester to bypass the server-side captcha logic by changing a client-side "hidden" input. If you want to be protected then you have to customize the form.

I have the source code too and checked it already. The gist of the code is:

if subform:

   if captcha fails:

       feedback = "Failed recaptcha test"
... if feedback!='Failed recaptcha test' (&& other stuff)

   do subscribe

edit: misread the code and formatting on HN didn't even show my intent, but the subform check doesn't contain the subscribe logic. The bug is clearly that it doesn't check if the captcha has passed.

And the point is that anyone with even a modicum of dev experience can remove the `subform` field and automate submission to the otherwise-standard form and completely bypass ReCAPTCHA.

The issue goes even deeper: if subform is set to no then sendy considers the user as added via api. This should mean that it would verify_api_key before allowing such a submission, but sendy doesn't verify the API key for subscribe calls (doh!). Old forum posts suggest that double-opt-in is a solution, however not only can you bypass the captcha and form with subform=no, you can also bypass double-opt-in via the subscribe API by sending silent=true in your POST.

Here's the diff for subscribe.php to require captcha for all list adds: https://pastebin.com/tSLkvYME

if you need API support, you could use captcha_passed = verify_api_key($api_key) and include the api_key in the post request

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact