Bug #198
openIssue in our 'contact us forms' allowing garbage data submission.
80%
Description
Hi Vaibhav,
We have an issue with our 'contact us forms' allowing garbage data submission. This needs to be corrected.
Script to be modified: <repo>/htdocs/do/form_mail.mhtml
Sample live forms using this script:
https://www.mexpro.com/mexico/contact-mexican-insurance-online.html
https://sb.iigins.com/contact/?aff_id=2049
Items to be confirmed as valid in "<repo>/htdocs/do/form_mail.mhtml" include:
(1) 'To' email address
(2) 'from' email address
(3) data submitted in the 'reason for submission' will need to filter out attempts to SQL inject, such as 'select' and 'insert' statements.
Example submissions that should be blocked from submission:
(1) The submission originated from:<br><br>The form had several arguments that were not in my recognized list, they are:<br> aff_id 2149<br> name Name<br><br>This form was submitted by Email on 2023-04-01T01:55:58 and included the following body:<br><br><<----------------------------------------------------------------------------------->><br><br><<----------------------------------------------------------------------------------->><br>Checksum: 156550dff3a54cbda9f65c47307c4570|74e6f7298a9c2d168935f58c001bad88<br><br>
(2) Invalid two or from email addresses:
Please let me know if you have any questions and thank you,
--George
Files
Updated by Vaibhav Kamthe about 2 years ago
- Status changed from New to In Progress
@George,
What we should do, when we observe invalid email address in the input?
Thanks
Updated by George Howington about 2 years ago
Hi Vaibhav. The form interface catches errors, so this needs to be taken at the submission level.
Someone is going direct to the form "<repo>/htdocs/do/form_mail.mhtml" in an attempt to use SQL injection. As a result, "<repo>/htdocs/do/form_mail.mhtml" will need to throw an error, as 'alerts' For example , on line 17, replace "$email = "Email Address Not Valid <invalid\@mexpro.com>";" with "alert("Email address is invalid");
Updated by Vaibhav Kamthe about 2 years ago
Required code changes have been raised under MR : https://gitlab.com/nfp-cross-border/polmaker-v3/-/merge_requests/243
Updated by Vaibhav Kamthe about 2 years ago
- Status changed from In Progress to QA
- Assignee changed from Vaibhav Kamthe to George Howington
Updated by George Howington about 2 years ago
- Assignee changed from George Howington to Vaibhav Kamthe
Hi Vaibhav,
The script is not throwing an error before it goes to the db. Please use the following for your pre-tests:
Locally: localhost:3000/contact/?aff_id=ALK
Test server: https://13549425-review-259-issue-3t09ns.staging.mexicoinsuranceonline.com/contact/?aff_id=ALK
You will need to override the form's precursory tests.
I also spoke with Greg this morning. He would like the regex to compare data, as he doesn't like the bad data to touch our DB in any manner.
Let me know if you have any questions and thank you,
--George
Updated by Vaibhav Kamthe about 2 years ago
- Assignee changed from Vaibhav Kamthe to George Howington
- % Done changed from 0 to 80
Hi George
As per the last request, I have added a regex based check for message.
committed under: https://gitlab.com/nfp-cross-border/polmaker-v3/-/merge_requests/243
Thanks!
Updated by George Howington about 2 years ago
- Status changed from QA to 7
THis passes QA. Awesome Vaibhav!
Updated by George Howington about 2 years ago
- Status changed from 7 to Merge with Production
Code looks good, not intrusive to other code on the system.
Updated by George Howington about 2 years ago
- Assignee changed from George Howington to Greg Krabbenhoft
Hi Greg. Let me know if you wish me to take live.