Hello/Hi/Greetings,

the ContactForm is a very useful plugin for adding a feedback feature to the piwigo site and yet to stop e-mail address "mining" by spammers. But it has a flaw.

The contact form has an option to send a copy of the message to the e-mail address specified by the author of the message. This has two problems:

1. It begs for abusing, and once having installed the plug-in, I almost immediately saw attempts to use it as a channel of spam distribution (and despite I have immediately removed this feature from the code and the template, after couple of months I still see massive automated POST requests to index.php?/contact/, probably attempting to distribute spam (I am a bit lazy to stay watching what is in the request body to confirm that they still are trying to exploit this vulnerability)).

2. Even worse, the legitimate users may want to use the form to send them a copy. In code, this is done by simply adding a "Cc" header (and re-writing "To" and "Bcc" to hide the site recepients' adresses) :

if ($comm['send_copy'])
{
  $Bcc = $to;
  $to = null;
  $Cc = $from;
}

While the administrator of the piwigo web site is capable of setting up mail delivery policies of his/her own mail server as (s)he wants, the MTA on the commenter's side obviously has its own rules. So the MTA specified by the commenter will see a message with a MAIL FROM from its own mail domain but coming from the wrong sending MTA. This will be in contradiction with the SPF of receiving domain, will most probably violate its DMARC policy, in modern world such an e-mail has almost 100% chance of rejection and, what is worst of all, if the receiving system is a big one or if it is exchanging information with IP reputation tracing services, this will lead to degradation of the sender's IP address reputation to the level that it cannot send other mail at all. This is all theory but in practice I have seen that few my test e-mails twere rejected by a couple of big receivers (mail.ru and yahoo.com, if that matters, and yahoo also blacklisted my IP).

As I wrote, in my installation I simply removed the ability to send a copy. Probably, a more intelligent solution would be to make this feature optional and if enabled, make the "From" address for the copy configurable so that site administrator could set up a blackhole address for such a purpose, and initiate two messages instead of one. I would like to draw developers' attention to the problem.

    Piwigo 11.5.0 Check for upgrade
    Operating system: Linux
    PHP: 7.4.21 (Show info) [2021-09-01 19:53:14]
    MySQL: 5.5.5-10.5.10-MariaDB-log [2021-09-01 22:53:14]
    Graphics Library: External ImageMagick 7.1.0-4
Piwigo URL: https://unseen.photo