Project

General

Profile

Actions
Copy link

Bug #198

open

Issue in our 'contact us forms' allowing garbage data submission.

Added by George Howington about 2 years ago. Updated about 2 years ago.

Status:
Merge with Production
Priority:
High
Assignee:
Greg Krabbenhoft
Start date:
04/10/2023
Due date:
04/14/2023 (over 2 years late)
% Done:

80%

Estimated time:

Description

Hi Vaibhav,

We have an issue with our 'contact us forms' allowing garbage data submission. This needs to be corrected.

Script to be modified: <repo>/htdocs/do/form_mail.mhtml

Sample live forms using this script:
https://www.mexpro.com/mexico/contact-mexican-insurance-online.html
https://sb.iigins.com/contact/?aff_id=2049

Items to be confirmed as valid in "<repo>/htdocs/do/form_mail.mhtml" include:
(1) 'To' email address
(2) 'from' email address
(3) data submitted in the 'reason for submission' will need to filter out attempts to SQL inject, such as 'select' and 'insert' statements.

Example submissions that should be blocked from submission:

(1) The submission originated from:<br><br>The form had several arguments that were not in my recognized list, they are:<br>    aff_id    2149<br>    name    Name<br><br>This form was submitted by Email on 2023-04-01T01:55:58 and included the following body:<br><br><<----------------------------------------------------------------------------------->><br><br><<----------------------------------------------------------------------------------->><br>Checksum:  156550dff3a54cbda9f65c47307c4570|74e6f7298a9c2d168935f58c001bad88<br><br>

(2) Invalid two or from email addresses:

Please let me know if you have any questions and thank you,
--George

Files

clipboard-202304101021-aaxla.png (24.1 KB) clipboard-202304101021-aaxla.png George Howington, 04/10/2023 05:26 PM
Actions
Copy link

Also available in: Atom PDF