Phoca Guestbook on a server.

Unfortunately many people do not distinguish between two different significances of the event:

1) hack a website
2) attempt to hack a website

Some people who have experince with 2) think and speak about 1) which is of course wrong.

Phoca Guestbook like many other web applications (forums, guestbooks, contact forms) includes input form field. Note the "input form field", it is important term. Input form field is very interesting for spammers. If they find some on the website, they will try to use it for e.g. sending spam. Mostly this is done by robot, which makes a lot of attempts to the server.

It is a serious problem for the server when the robot makes a lot of attempts to access the site. It can overload the server. But this does not mean, the server was hacked and it does not have any direct dependency to some script in application. It is just an attempt to hack/exploit the server. In such case, the application does not have any wise tool to prevent from it. Such protection must be implemented on the server side, e.g. on Apache servers, this can be done by Mod Security, etc.

So, sometimes people think, if there are such attempts, that the application is not safe, but this is of course not true. It is important to differentiate between two events (see above):

1) hack a website - done through some application which has some security problem - must be solved in application
2) attempt to hack a website - mostly robot tries to attack the site - must be solved on server side - e.g. to prevent from displaying the site for robot which makes a lot of "bad" attempts on the site.

Phoca Guestbook situation

It is really easy (e.g. for webhosting provider) to say, Phoca Guestbook is not safe, please remove it from server. It is marked as reason 1) instead of reason 2). But if you remove it, then you need to replace it with some other application. Of course, you can expect, that at some time, you will be forced to remove next application :-( Because if you want to display input fields on your site, it will be allways searched by robots regardless used application. :-(

Message to webhosting providers

I am developer of Phoca Guestbook. I or Phoca Guestbook testers, we are only humans and of course we could not be sure, there is no security issue in Phoca Guestbook but if you have information about such issue, let me know. I am ready (NOW! and EVERYTIME!) to solve it and to fix it. Security is most important while developing web applications and I take care of it. I by myself must fight spammers everyday in my forum and know the situation with overloaded server.

Some information about baseless arguments

1) Phoca Guestbook does not have any feature which saves some files on server, etc. So there is no place where spammers can use it to save something on the server.

2) Input fields in Phoca Guestbook are checked with many different methods ( Trying to prevent from spam ) before they are stored into the database, so there is no place to use these methods to write some harmful code into database.
If you have some questions regarding this issue or you found some security bug or you just have some idea regarding this issue, please visit Phoca Forum ( ) and share it.

I am allways ready to fix possible security problems.

Thank you very much for your understanding.


Anyway :-(
Unfortunately, recently it seems, that spam robots are running without any control because they are trying to attack input form fields which do not exist on the site. :-( So it means, uninstalling popular extensions (including input form fields) from the server does not help :-( because spam robots try to access the server without knowing that the server runs such extension at all. So it happens that spam robots try to spam Joomla! extensions on server where no Joomla! is installed (absurdly).