Forums

Chronoforms5 Vulnerable to SQL injections

jfascia 02 Mar, 2015
An OWASP scan has revealed that Chronoforms v5 is vulnerable to sql injections. I work for a financial institution so I need to resolve these vulnerabilities or I have to scrap chronoforms completely!

url: /component/com_chronoforms5/?chronoform=business-contact-form&event=submit
info: The page results were successfully manipulated using the boolean conditions [ZAP' AND '1'='1' -- ] and [ZAP' OR '1'='1' -- ]
The parameter value being modified was stripped from the HTML output for the purposes of the comparison
Data was NOT returned for the original parameter.
The vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter

Any insight is appreciated. Thanks
jfascia 05 Mar, 2015
Thanks for the response Bob,

However, the post "how can i sanitize my form data" is way over my head. It suggests doing custom server validation with php code?

Why does the built in "Server Validation" not work? I drag that into "on submit," give the "on fail" a "event loop," but my scan still shows the sql injection vulnerabilities.
GreyHead 06 Mar, 2015
Hi jfascia,

You don't say what serverside validation you have set up so that makes it hard to answer.

Depending on what data your form is submitting the serverside validation may be enough.

Bob
jfascia 06 Mar, 2015
Hi Bob,

I'm confused. Serverside validation is what I'm trying to setup. I followed this instructions in this post but I still show vulnerabilities http://www.chronoengine.com/faqs/54-cfv4/cfv4-validation/2678-how-can-i-add-auto-serverside-validation.html

My forms are not submitting any complicated data. This is just a simple contact form.

Jake
GreyHead 06 Mar, 2015
Hi jfascia,

And what validations are you using?

Bob
jfascia 06 Mar, 2015
Bob,

The validation I'm using is built into chronoforms.

All fields are required and the "email" field must be a valid email address.

Is that what you're asking?

Jake
jfascia 09 Mar, 2015
Am I to understand that there is no working server side validation built into chronoforms? Any server side validation will be done with custom php?
GreyHead 09 Mar, 2015
Hi jfascia,

Yes, that was my question - but making them required just means that there will be something in the input result. It does **nothing** to sanitise the data.

Bob
Jamesbond07 09 Mar, 2015
Answer
1 Likes
Hi there,

I have an idea:
1. In your chronoform, in the "on_submit" area, add a "custom code" element before the "DB Save" element, in which you can pre-process your data like:
$form->data["name"] = htmlspecialchars($form->data["name"], ENT_QUOTES, 'UTF-8');
$form->data["email"] = htmlspecialchars($form->data["email"], ENT_QUOTES, 'UTF-8');
etc.

2. In your chronoform, in the "on_load" area, add a "custom code" element after the "DB Read" element, but before the "HTML (render form)" element, in which you can pre-process your data like:

$form->data["name"] = htmlspecialchars_decode($form->data["name"], ENT_QUOTES);
$form->data["email"] = htmlspecialchars_decode($form->data["email"], ENT_QUOTES);

A good reference material against XSS and additional info here:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
http://php.net/manual/en/function.htmlspecialchars.php
http://php.net/manual/en/function.htmlspecialchars-decode.php

Cheers!
GreyHead 09 Mar, 2015
Hi Jamesbond07,

That's more or less what the FAQ suggests - though it uses the PHP Sanitizing filters instead.

Bob
Jamesbond07 09 Mar, 2015
Hi Bob,

I agree that the FAQ has extended information about the sanitization of the input data, but I think that jfascia is searching for a method of implementing this in his form (sanitize data on_submit, before saving to the database and rebuilding the data (decode into readable format) in the on_load, after loading information from the database and before publishing it back in the webpage (provided that he uses the form also to later edit information already sanitized and saved in the database) ). Also, with respect to the already very useful information it provides, I think the FAQ is missing a method like:
function print_xss_cleaned_data( $data ) {//decode sanitized data into user readable format ...}


Thanks,
JB
GreyHead 10 Mar, 2015
Hi jb,

In the FAQ the function is there and is called function xss_clean( $data ) {

You do have to read into some quite technical detail to find it though.

Bob
guillome 26 May, 2015
Hello,

how can I prevent typing ie "drop table x" into any field? The provided method is guarding against that? I guess not.
How can I make my forms secure against sql injection?

thanks,
Gery
guillome 26 May, 2015
I have seen that article already, but I was not able to make it work on my end? Do I have to add that advanced filtering code to a custom code before submit? How does this protect agains SQL injection? I was able to put strange things into input fields and they all were saved to the DB.
GreyHead 26 May, 2015
Hi Guillome,

It would need to be at the beginning of the On Submit event after any Captcha or other validation checks.

If your test code was **safely** saved in the database and didn't drop any tables on the way then it may have been working.

Only you as the form owner can decide what level of sanitisation is appropriate for your site and form content.

Bob
guillome 26 May, 2015
I would like to prevent any kind of SQL injections. Is that the code that is in the FAQ?
How do I know that the code is working? Should it transform data before daving it to the DB?
guillome 27 May, 2015
Hi GreyHead,

thanks for the article, helps a lot. So this means that if I want to use PHP PDO I should avoid using your DB Save action and do custom code saving the data instead?

thanks
GreyHead 27 May, 2015
Hi Guilloume,

I believe so, yes.

Bob
guillome 27 May, 2015
Hello,

prepared statements works also fine without dbsave, I have just tested it and it is ok. So this means that forms are protected against SQL injections now? What about the other sanitization you sent me? Should I also introduce that as well? My problem was that it was not working or I was not able to effectively test it. Can you help me how to test it?

thanks
This topic is locked and no more replies can be posted.