Strange Issue With Illegal Value In Discussions Field Allowed Spam Through

I recently noticed a very large number of malware spam comments on our CS Cart based website.

These consisted of real comments stolen from another site, with a failed attempt to link to a malware site appended to the end. The malware links didn't work- the discussion addon doesn't render BBCode- but we still had masses of auto-generated spam comments I had to remove.

This was strange as I was sure I'd set it the discussion addon to require approval of *everyone's* comments. Sure enough, when I checked, that's what it showed. Yet, when I entered a nonsense review of my own, it was immediately shown without approval (and automatically marked as "approved" in the database).

I eventually worked out that product review moderation settings are held in the table "cscart_settings_objects", in the row "product_post_approval". Testing showed that the three moderation settings available via the GUI correspond to these database entries:-

- "any" (require moderation for any customer)

- "anonymous" (require moderation for anonymous users)

- "disabled" (disable moderation, i.e. allow comments through automatically)

After I'd fixed the issue- by toggling the settings- that entry read "any" and the reviews behaved exactly as intended (i.e. new reviews weren't "approved" until I'd checked them). Bingo!

However, when I checked a backup made yesterday (before the problem was fixed), it had that value set to "third". That doesn't correspond to any of the legitimate values listed above, and isn't mentioned in the discussion addon's "addon.xml" file.

IMHO, the most likely explanation for CS Cart's inconsistent behaviour is that different parts of the program were responding to an illegal (and unexpected) setting value in different ways.

Problem solved? Not quite- where did "third" come from in the first place?! Was it a legitimate status in earlier versions of CS Cart?

I don't think this was caused by the comment spammers. SQL backups show that the "third" entry was in place when our 4.x site launched in early 2015, and the comment spam didn't start until November. So I think the spammer was a failed opportunist, but no more.

Any thoughts?

- Smich