No announcement yet.

Security leak discovered by my host

  • Filter
  • Time
  • Show
Clear All
new posts

  • Security leak discovered by my host

    Not sure if this post belongs in this forum or in vB5 Connect Support & Troubleshooting

    Today i got this e-mail from my webhoster:

    Dear Stefan118,
    The contact form on (, your website is currently being misused by hackers to send spam

    Contact form:

    Because your contact form is being misused, we have put the contact form on your website offline.

    You or your webdesigner must update the contact form to a new version and the contact form must use ReCaptcha (is better than the Captcha currently being used) so that it can no longer be misused.

    Let us know what you will do, then we will put the contact form online again.

    Hope to have informed you sufficiently,

    My webhoster.
    Now i'm running vB 5.5.0, and am about to update to the most recent version 5.5.1, but was wondering if this issue is known, and if so, is it solved in 5.5.1?

    Last edited by Stefan118; Thu 4th Apr '19, 12:01pm.

  • #2
    I fail to see how this is a security risk. The Contact Us form can only send emails to the addresses set up under Settings -> Options -> Site Name / URL / Contact Us. However, Recaptcha or Human Verification is a default setting for non-registered users on new vBulletin installations. This feature has been available for over a decade now. Human Verification also applies to the Contact Us form. You can see this by clicking the Contact Us link in the footer of this page while not logged into the site. It appears that you have turned this off. To re-enable it you should follow these steps.
    1. Go to Settings -> Options -> Human Verification Options.
    2. Make sure all Options are checked except maybe Search. Checking Search means that Guest Users cannot use the search box in the header.
    3. Go to Usergroups -> Usergroup Manager.
    4. Edit the Guest Usergroup.
    5. Make sure that "Require Human Verification on Configured Actions" is set to Yes.
    6. Save the Permissions at the bottom of the page.
    7. Go to Settings -> Human Verification Options.
    8. Set up one of the different Verification Methods. I suggest using Recaptcha v2.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API - Full / Mobile
    Vote for your favorite feature requests and the bugs you want to see fixed.


    • #3
      I checked some things:
      The contact form is indeed offline (the send buttom does not work anymore. Has been set to
      Only our own info e-mail address has been set.
      In Settings -> Options -> Human verification options only Recover lost password was not checked.
      The "Require human verification" on Usergroup options was and is set to yes, however, by registered users who did not confirm their account it was set to no!
      I indeed was not using ReCaptcha v2, but image verification.

      I copied your post into my reply to the ticket of my host.


      • #4
        The first thing I'd be doing if a host disabled part of my website without advising me FIRST, would be to find another host.
        vBulletin is installed on many, many thousands of websites worldwide, and the contact form is used without issue.

        ReCaptcha2 should be used, not image verification, as image verification generally has been 'crackable' for quite some time.

        TalkNewsUK - My vBulletin 5.5.6 Demo
        AdminAmmo - My Cloud Demo


        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.