Bug #91441

Security problem with form extension form_formframework

Added by Martin Weymayer 6 days ago. Updated 6 days ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2020-05-19
Due date:
% Done:

0%

TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

We have detected, that spammer are able to send mails via form extension form_formframework also having javavscript and google recaptcha spam protection. so we think spammer use some sercury problem in form_formframework. TYPO3 8 - 10 have same problem.

We found out, that spammer somehow find out correct post parameter and then send each 2 minutes only post parameter. so maybe a timestamp can help a little bit. set a timestam to hidden field and validate if form is submitted to fast (f. e. 10 seconds) or timestamp is too old (2 minutes).

spam.jpg View (902 KB) Martin Weymayer, 2020-05-19 12:43

History

#1 Updated by Jarvis H 6 days ago

Hello.

Would it be possible to share your yaml config for testing purposes?

And sorry for having to ask a stupid question (based on having done this myself :-)), but is your captcha field set to required?

#2 Updated by Martin Weymayer 6 days ago

do mean kontaktformular.form.yaml?
there is no extra checkbox for setting recaptcha as required. this is also a problem. if you call form in fronentend recaptcha is a required field. but spammer can post datas and submit form correct withour recaptcha data

#3 Updated by Jarvis H 6 days ago

Yes, I mean the kontaktformular.form.yaml config, just make sure to remove any mail addresses or sensitive data :-), then I can try testing it on my local machine.

#4 Updated by Martin Weymayer 6 days ago


renderingOptions:
  submitButtonLabel: absenden
type: Form
identifier: kontaktformular
label: Kontaktformular
prototypeName: standard
finishers:
  -
    options:
      subject: 'aaaaaaaaaaaaa'
      recipientAddress: '{text-4}'
      recipientName: '{text-1} {text-2}'
      senderAddress: xxxxx
      senderName: 'bbbbbbbbbbb '
      replyToAddress: ''
      carbonCopyAddress: ''
      blindCarbonCopyAddress: ''
      format: html
      attachUploads: true
    identifier: EmailToSender
  -
    options:
      subject: 'Anfrage von der Webseite'
      recipientAddress: xxxx
      recipientName: 'bbbbbbbbbbb '
      senderAddress: xxxxx
      senderName: '{text-1} {text-2}'
      replyToAddress: '{text-4}'
      carbonCopyAddress: ''
      blindCarbonCopyAddress: ''
      format: html
      attachUploads: true
      translation:
        language: ''
    identifier: EmailToReceiver
  -
    options:
      pageUid: '132'
      additionalParameters: ''
    identifier: Redirect
renderables:
  -
    renderingOptions:
      previousButtonLabel: 'Previous step'
      nextButtonLabel: 'Neue Seite'
    type: Page
    identifier: page-1
    label: ''
    renderables:
      -
        properties:
          options:
            Frau: Frau
            Herr: Herr
          fluidAdditionalAttributes:
            required: required
        type: SingleSelect
        identifier: singleselect-1
        label: Anrede
        validators:
          -
            identifier: NotEmpty
      -
        defaultValue: ''
        type: Text
        identifier: text-1
        label: Vorname
        properties:
          fluidAdditionalAttributes:
            required: required
          elementDescription: ''
        validators:
          -
            identifier: NotEmpty
      -
        defaultValue: ''
        type: Text
        identifier: text-2
        label: Nachname
        properties:
          fluidAdditionalAttributes:
            required: required
        validators:
          -
            identifier: NotEmpty
      -
        defaultValue: ''
        type: Text
        identifier: text-3
        label: Telefon
      -
        defaultValue: ''
        type: Text
        identifier: text-4
        label: Email
        properties:
          fluidAdditionalAttributes:
            required: required
        validators:
          -
            identifier: NotEmpty
      -
        defaultValue: ''
        type: Text
        identifier: text-5
        label: Stra├če
      -
        defaultValue: ''
        type: Text
        identifier: text-6
        label: PLZ
        properties:
          fluidAdditionalAttributes:
            required: required
        validators:
          -
            identifier: NotEmpty
      -
        defaultValue: ''
        type: Text
        identifier: text-7
        label: Ort
        properties:
          fluidAdditionalAttributes:
            required: required
        validators:
          -
            identifier: NotEmpty
      -
        defaultValue: ''
        type: Text
        identifier: text-8
        label: Mitgliedsnummer
      -
        defaultValue: ''
        type: Textarea
        identifier: textarea-1
        label: Nachricht
        properties:
          fluidAdditionalAttributes:
            required: required
        validators:
          -
            identifier: NotEmpty
      -
        defaultValue: '55'
        type: Text
        identifier: text-9
        label: Message
        properties:
          fluidAdditionalAttributes:
            required: required
        validators:
          -
            options:
              minimum: '90'
              maximum: '92'
            identifier: NumberRange
          -
            identifier: NotEmpty
      -
        type: Checkbox
        identifier: checkbox-1
        label: DSGVO
        properties:
          elementDescription: ''
          fluidAdditionalAttributes:
            required: required
        validators:
          -
            identifier: NotEmpty
      -
        renderingOptions:
          submitButtonLabel: true
        type: Recaptcha
        identifier: recaptcha-1
        label: Spamschutz
        validators:
          -
            identifier: Recaptcha

#5 Updated by Jarvis H 6 days ago

Great, thanks... which recaptcha extension are you using?

#7 Updated by Martin Weymayer 6 days ago

here if you are interested in post data from spamer:

{"tx_form_formframework":{"kontaktformular":"__state":"TzozOToiVFlQTzNcQ01TXEZvcm1cRG9tYWluXFJ1bnRpbWVcRm9ybVN0YXRlIjoyOntzOjI1OiIAKgBsYXN0RGlzcGxheWVkUGFnZUluZGV4IjtpOjA7czoxMzoiACoAZm9ybVZhbHVlcyI7YTowOnt9fQ==13bcc95d1cfcad63351a841c2d92050914d2f6fd","singleselect-1":"Herr","text-1":"\u79e6\u7c4d\u6b27","text-2":"\u79e6\u7c4d\u6b27","text-3":"","text-4":"","text-5":"","text-6":"10024","text-7":"pakistan","text-8":"","textarea-1":"\u817e\u535a\u4f1a12\u5468\u5e74\u5e86\u5178\uff0c\u8001\u53f0\u5b50\uff0c\u5f00\u6237\u9001100\uff0c\u9996\u5b588\u500d\u6c34 \u7f51\u5740\uff1atengbo89.com","text-9":"91","kr89DRL7Vo6OG":"","checkbox-1":"1","__currentPage":"1"},"__trustedProperties":"a:1:{s:15:\"kontaktformular\";a:14:{s:14:\"singleselect-1\";i:1;s:6:\"text-1\";i:1;s:6:\"text-2\";i:1;s:6:\"text-3\";i:1;s:6:\"text-4\";i:1;s:6:\"text-5\";i:1;s:6:\"text-6\";i:1;s:6:\"text-7\";i:1;s:6:\"text-8\";i:1;s:10:\"textarea-1\";i:1;s:6:\"text-9\";i:1;s:13:\"kr89DRL7Vo6OG\";i:1;s:10:\"checkbox-1\";i:1;s:13:\"__currentPage\";i:1;}}8b1df25466df0a4129a77bd7a40aedbe1f7dc8e2"}}

#8 Updated by Jarvis H 6 days ago

After testing, a solution which should definitely solve the issue is to add a validator of not empty to the captcha element, like so:

-
  renderingOptions:
    submitButtonLabel: true
  type: Recaptcha
  identifier: recaptcha-1
  label: Spamschutz
  validators:
    -
      identifier: Recaptcha
    -
      identifier: NotEmpty

This needs to be adjusted directly in the kontaktformular.form.yaml file. The problem occurs, as the Recaptcha Validation only happens if the field tx_form_formframework[kontaktformular][recaptcha-1] is set in the form data. In the spam form data, this field is missing and so no validation takes place. This is then fixed by adding a NotEmpty validation.

There may be another problem with the form framework itself, but I am still trying to figure out what that may be. After a closer look, it seems everything works as it should. If someone was dedicated to spamming the form containing just the honeypot this would be possible, but would require any automated scripts to be tailored to this purpose specifically.

Also available in: Atom PDF