Security breach via Constant Contact module, trying to determine

By toptomato on 9 Mar 2015 at 15:26 UTC

I'm trying to determine if there has been a security breach by way the Constant Contact module on my client’s website. It seems a spammer has accessed my clients mailing list and sending out spam emails and spoofing the sent from email address.

in the log files i’m seeing this msg numerous times,

Warning: Creating default object from empty value in cc->get_lists() (line 386 of /home/mywebsite/public_html/sites/all/modules/constant_contact/class.cc.php).

this message doesn’t seem to get triggered when i use the Constant Contact form as a normal user would.

any info, or advice would be greatly appreciated. i’m very inexperienced with web security issues.

Comments

You could add some additional

Stefan Lehmann commented 9 March 2015 at 21:28

You could add some additional logging and use debug_backtrace() to check which part of code is executing this line with an empty object. Apparantly this warning is thrown if an object variable is assigned to an empty object.

eg:

$res = NULL;
$res->success = false; // Warning: Creating default object from empty value

So you could add a check here like:

if (!$res) {
  // add debug backtrace info to watchdog .. 
}
$res->success = false; // Warning: Creating default object from empty value

I like cookies!

Security Info

egaiter commented 10 March 2015 at 18:52

Hello,

I'd first like to let you know that we’ve checked our systems thoroughly and can confirm that there has been no security breach here at Constant Contact.

This code was originally written by a Constant Contact partner, and I have reviewed the code prior to this message in order to find relevant information for you. Based on my research, this warning is showing due to an elevated error reporting level in your PHP code. Specifically, the warning is because the list_meta_data property of the cc class is not being set before it is used as an object.

In this sitaution, PHP assumes it to be an object and throws a warning if your error reporting level is set appropriately. The warning can be resolved by making the following changes:

Class.cc.php line 385

Before:
		if(isset($xml['feed']['link']['2_attr']['rel']) && $xml['feed']['link']['2_attr']['rel'] == 'first'):
			$this->list_meta_data->first_page = $this->get_id_from_link($xml['feed']['link']['2_attr']['href']);

After:
        	if ($this->list_meta_data == null)
         	 	$this->list_meta_data = new stdClass();
		if(isset($xml['feed']['link']['2_attr']['rel']) && $xml['feed']['link']['2_attr']['rel'] == 'first'):
			$this->list_meta_data->first_page = $this->get_id_from_link($xml['feed']['link']['2_attr']['href']);

For additional information about this warning, I found an excellent explanation in the top answer to this question:
http://stackoverflow.com/questions/8900701/creating-default-object-from-...

If you have any questions or concerns relating to Constant Contact's APIs, please feel free to email us at webservices@constantcontact.com

Sincerely,
Elijah Gaiter
API Support Engineer