An OWASP scan has revealed that Chronoforms v5 is vulnerable to sql injections. I work for a financial institution so I need to resolve these vulnerabilities or I have to scrap chronoforms completely!
url: /component/com_chronoforms5/?chronoform=business-contact-form&event=submit
info: The page results were successfully manipulated using the boolean conditions [ZAP' AND '1'='1' -- ] and [ZAP' OR '1'='1' -- ]
The parameter value being modified was stripped from the HTML output for the purposes of the comparison
Data was NOT returned for the original parameter.
The vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter
Any insight is appreciated. Thanks
Thanks for the response Bob,
However, the post "how can i sanitize my form data" is way over my head. It suggests doing custom server validation with php code?
Why does the built in "Server Validation" not work? I drag that into "on submit," give the "on fail" a "event loop," but my scan still shows the sql injection vulnerabilities.
Hi jfascia,
You don't say what serverside validation you have set up so that makes it hard to answer.
Depending on what data your form is submitting the serverside validation may be enough.
Bob
Hi Bob,
I'm confused. Serverside validation is what I'm trying to setup. I followed this instructions in this post but I still show vulnerabilities http://www.chronoengine.com/faqs/54-cfv4/cfv4-validation/2678-how-can-i-add-auto-serverside-validation.html
My forms are not submitting any complicated data. This is just a simple contact form.
Jake
Hi jfascia,
And what validations are you using?
Bob
Bob,
The validation I'm using is built into chronoforms.
All fields are required and the "email" field must be a valid email address.
Is that what you're asking?
Jake
Am I to understand that there is no working server side validation built into chronoforms? Any server side validation will be done with custom php?
Hi jfascia,
Yes, that was my question - but making them required just means that there will be something in the input result. It does **nothing** to sanitise the data.
Bob
Hi there,
I have an idea:
1. In your chronoform, in the "on_submit" area, add a "custom code" element before the "DB Save" element, in which you can pre-process your data like:
$form->data["name"] = htmlspecialchars($form->data["name"], ENT_QUOTES, 'UTF-8');
$form->data["email"] = htmlspecialchars($form->data["email"], ENT_QUOTES, 'UTF-8');
etc.
2. In your chronoform, in the "on_load" area, add a "custom code" element after the "DB Read" element, but before the "HTML (render form)" element, in which you can pre-process your data like:
$form->data["name"] = htmlspecialchars_decode($form->data["name"], ENT_QUOTES);
$form->data["email"] = htmlspecialchars_decode($form->data["email"], ENT_QUOTES);
A good reference material against XSS and additional info here:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
http://php.net/manual/en/function.htmlspecialchars.php
http://php.net/manual/en/function.htmlspecialchars-decode.php
Cheers!
Hi Jamesbond07,
That's more or less what the FAQ suggests - though it uses the PHP Sanitizing filters instead.
Bob
Hi jb,
In the FAQ the function is there and is called function xss_clean( $data ) {
You do have to read into some quite technical detail to find it though.
Bob
Hello,
how can I prevent typing ie "drop table x" into any field? The provided method is guarding against that? I guess not.
How can I make my forms secure against sql injection?
thanks,
Gery
I have seen that article already, but I was not able to make it work on my end? Do I have to add that advanced filtering code to a custom code before submit? How does this protect agains SQL injection? I was able to put strange things into input fields and they all were saved to the DB.
Hi Guillome,
It would need to be at the beginning of the On Submit event after any Captcha or other validation checks.
If your test code was **safely** saved in the database and didn't drop any tables on the way then it may have been working.
Only you as the form owner can decide what level of sanitisation is appropriate for your site and form content.
Bob
I would like to prevent any kind of SQL injections. Is that the code that is in the FAQ?
How do I know that the code is working? Should it transform data before daving it to the DB?
Hi GreyHead,
thanks for the article, helps a lot. So this means that if I want to use PHP PDO I should avoid using your DB Save action and do custom code saving the data instead?
thanks
Hi Guilloume,
I believe so, yes.
Bob
Hello,
prepared statements works also fine without dbsave, I have just tested it and it is ok. So this means that forms are protected against SQL injections now? What about the other sanitization you sent me? Should I also introduce that as well? My problem was that it was not working or I was not able to effectively test it. Can you help me how to test it?
thanks