Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

Views: 6385
Number of votes: 11
Average rating:

Forum is open again reCAPTCHA is in

Update May 26

The forum has been reopened - you no longer need partner access to post.

The access to the forum was restricted for about a week. I did not receive much feedback during that time, but the feedback I did get was mostly negative. That was expected though since the only affected people were those who lost access. I have now decided to reopen the forum and try other approaches to combat spam. Mainly for two reasons:

  • The users that benefit the most from the forum are those who are not employed at a partner company. Since they don't have access to the support system the forum is place they go to seek help. Shutting them out from the forum will drive them away from the community, we'd much rather have them stay. This is kind of obvious in retrospect but I apparently needed someone to point that out for me - thank you, Luc and others.

  • I was not particularly happy with the lockdown solution either and I felt bad linking this article and replying "this is why you can't post anymore". It felt wrong.

Instead of the access restriction I have added Google's reCAPTCHA to the new thread and reply forms. This is a relatively simple CAPTCHA that most often only requires you to check a box but sometimes you need to select images based on certain critera. As i mentioned in the original message (below) I believe that most of the spam is not posted by bots - we'll see what effect the CAPTCHA has. Either way we now have robust bot protection.

As before, please comment below.

Original message from May 19

Around the same time as this article is published the access rights for the forum will be changed. After the changes have been made only accounts that have been associated with a partner company are allowed to post in the forum. Read access will still be granted to everyone.

The reason for this decision is the large amount of spam that has been posted during the last few months. The traps I've laid to try to catch and discard posts by bots have had no effect, this means that either that bots don't fall for the traps or the spam is not posted by bots. My belief is that the latter is true.

We have discussed other solutions to the problem, mainly two that are still on the table:

  • Use CAPTCHA. An annoyance for everyone that definitely will shut out bots but will not stop a determined spammer.
  • A wait period and/or a posting limit for new accounts. Annoying for new members but, again, will not stop determined spammers.

Please post any feedback in the comments below, I want to have a solution in place that we're all happy with.


Henrik Fransas
Henrik Fransas May 22, 2015 07:35 AM

I noticed that there are less questions and activity on world now since that change. I liked the change but it might be nessesary to add something to it, I think there might be a lot of people needing to ask questions that are not part of a partner firm, or that needs help to connect their account to the firm.

Maby add an extra verification step for just the persons that are not connected to a partner firm. How, I do not know, I aggree that most atempt of fixing stuff like this only results in making it harder for everyone but the "bad people".

Will think more and get back

Milos Malic
Milos Malic May 22, 2015 09:29 AM

The more fine people we have trying to sort out bot problems, even more flock to refine bots... It is the way it is :-(

Glenn Stewart
Glenn Stewart May 22, 2015 05:05 PM

Hi Erik, how do I associate one of my clients with Ultimedia as an EPiServer partner?

May 26, 2015 02:32 PM

@Henrik & Milos

Forum is open, I've updated the article.


What I am referring to in the article is associating your World account with your employer. That is done via My Settings (profile) -> Professional Information tab.

May 26, 2015 06:04 PM

Hi Erik,

I cannot edit / delete posts anymore. I'm getting a page which tells me to log in or create an account, but I'm already logged in.

btw, recaptcha pictures are nice :)

Henrik Fransas
Henrik Fransas May 26, 2015 08:21 PM

I got the same problem as Dejan when trying to delete my post on that I was not able to set a response as answer

valdis May 27, 2015 10:26 AM

reCaptcha has issues on mobile phones. Flyout window to select juicy fruits is not visible. Need to change orientation few times to get it inside screen. Makes hard to answer from phone..

May 27, 2015 02:24 PM

@Dejan & Henrik

This has been fixed now. This was actually caused by the access changes on May 19 - turns out that the Creator virtual role does not work as it should when you use inherited ACLs. Bug has been reported.


I didn't even think that people posted to the forum from phones, brave souls. I'll look in to customizing the CAPTCHA to see if I can make it easier to use on mobile devices. Other things have higher prio though, so I don't know when I can do that.

Henrik Fransas
Henrik Fransas May 28, 2015 03:52 PM

Thanks Erik, I can confirm that delete now works.

Regarding phone update. I do it all the time :-)

valdis May 28, 2015 09:43 PM

Henrik: power from Nordic!! Welcome to no-compiler-at-hand-forum-answer-club ! :D

Jun 9, 2015 07:18 PM

would sms verification (using a service such as twillio) of the phone number of the account owner help combat spam? 

Jun 15, 2015 10:54 AM


Yes, probably - any hurdle you need to overcome to be able to post will reduce spam. I think using mobile verification is several steps too far for our needs, though.

Please login to comment.