Buy Now
Sign in

PHP Code Injection

slocke , July 09 2012
S
slocke
We have a form that is failing a McAfee PCI scan saying that the form is susceptible to PHP Code Injection. They recommend validating the form or failing that, sanitizing it.

We have tried to do this several times on our own, but have failed. Would appreciate some professional help on this one and we are more than willing to pay for it.
GreyHead
Hi slocke,

What exactly do you need to validate/sanitize. It should be pretty straightforward to add the code you need in the Custom Serverside Validation action. Possibly the Auto Serverside Validation action will do it for you?

Bob
ChronoForms technical support
If you'd like to buy me a coffee or two, thank you very much
S
slocke
The form is here:

https://www.dsinet.com/services-offered/gateway-services

This is the information we get from McAfee when it fails PCI:

GET /index.php?option=com_content&view=article&id=3:"'><?php%20print(1234567890*27);?>-merchant-account-services-offered-to-our-customers&catid=2:uncategorised&Itemid=109 HTTP/1.1
Referer : https://www.dsinet.com/index.php?option=com_content&view=article&id=3&Itemid=109
Cookie : 8c64b66c0d364bbaa588fefc8c4defc8=23c262832650131d9d0d36767295a51b
Cookie : 4531f7e2f27ddd5cd1e0cf7aa35563fd=a231e2a982076780d0166c670f4a7d54
GreyHead
Hi slocke,

Please try setting Relative URL to 'No' on the form General tab. I think that will fix this particular problem.

Bob

PS If my memory is correct - and it may not be - this comes from a change in the Joomla! code from 1.6 to 2.5 where they removed URL sanitisation :-(

PPS It is that Joomla! change. If you need to keep the Relative URL then you could try my Show HTML [GH] action which includes the sanitisation code for the page URL.
ChronoForms technical support
If you'd like to buy me a coffee or two, thank you very much
S
slocke
Thank you for your help. We'll give that a try.