Bug #91441
open
Security problem with form extension form_formframework
Added by Martin Weymayer almost 4 years ago. Updated over 3 years ago.
0%
Description
We have detected, that spammer are able to send mails via form extension form_formframework also having javavscript and google recaptcha spam protection. so we think spammer use some sercury problem in form_formframework. TYPO3 8 - 10 have same problem.
We found out, that spammer somehow find out correct post parameter and then send each 2 minutes only post parameter. so maybe a timestamp can help a little bit. set a timestam to hidden field and validate if form is submitted to fast (f. e. 10 seconds) or timestamp is too old (2 minutes).
Files
Updated by Jarvis H almost 4 years ago
Hello.
Would it be possible to share your yaml config for testing purposes?
And sorry for having to ask a stupid question (based on having done this myself :-)), but is your captcha field set to required?
Updated by Martin Weymayer almost 4 years ago
do mean kontaktformular.form.yaml?
there is no extra checkbox for setting recaptcha as required. this is also a problem. if you call form in fronentend recaptcha is a required field. but spammer can post datas and submit form correct withour recaptcha data
Updated by Jarvis H almost 4 years ago
Yes, I mean the kontaktformular.form.yaml config, just make sure to remove any mail addresses or sensitive data :-), then I can try testing it on my local machine.
Updated by Martin Weymayer almost 4 years ago
renderingOptions:
submitButtonLabel: absenden
type: Form
identifier: kontaktformular
label: Kontaktformular
prototypeName: standard
finishers:
-
options:
subject: 'aaaaaaaaaaaaa'
recipientAddress: '{text-4}'
recipientName: '{text-1} {text-2}'
senderAddress: xxxxx
senderName: 'bbbbbbbbbbb '
replyToAddress: ''
carbonCopyAddress: ''
blindCarbonCopyAddress: ''
format: html
attachUploads: true
identifier: EmailToSender
-
options:
subject: 'Anfrage von der Webseite'
recipientAddress: xxxx
recipientName: 'bbbbbbbbbbb '
senderAddress: xxxxx
senderName: '{text-1} {text-2}'
replyToAddress: '{text-4}'
carbonCopyAddress: ''
blindCarbonCopyAddress: ''
format: html
attachUploads: true
translation:
language: ''
identifier: EmailToReceiver
-
options:
pageUid: '132'
additionalParameters: ''
identifier: Redirect
renderables:
-
renderingOptions:
previousButtonLabel: 'Previous step'
nextButtonLabel: 'Neue Seite'
type: Page
identifier: page-1
label: ''
renderables:
-
properties:
options:
Frau: Frau
Herr: Herr
fluidAdditionalAttributes:
required: required
type: SingleSelect
identifier: singleselect-1
label: Anrede
validators:
-
identifier: NotEmpty
-
defaultValue: ''
type: Text
identifier: text-1
label: Vorname
properties:
fluidAdditionalAttributes:
required: required
elementDescription: ''
validators:
-
identifier: NotEmpty
-
defaultValue: ''
type: Text
identifier: text-2
label: Nachname
properties:
fluidAdditionalAttributes:
required: required
validators:
-
identifier: NotEmpty
-
defaultValue: ''
type: Text
identifier: text-3
label: Telefon
-
defaultValue: ''
type: Text
identifier: text-4
label: Email
properties:
fluidAdditionalAttributes:
required: required
validators:
-
identifier: NotEmpty
-
defaultValue: ''
type: Text
identifier: text-5
label: Straße
-
defaultValue: ''
type: Text
identifier: text-6
label: PLZ
properties:
fluidAdditionalAttributes:
required: required
validators:
-
identifier: NotEmpty
-
defaultValue: ''
type: Text
identifier: text-7
label: Ort
properties:
fluidAdditionalAttributes:
required: required
validators:
-
identifier: NotEmpty
-
defaultValue: ''
type: Text
identifier: text-8
label: Mitgliedsnummer
-
defaultValue: ''
type: Textarea
identifier: textarea-1
label: Nachricht
properties:
fluidAdditionalAttributes:
required: required
validators:
-
identifier: NotEmpty
-
defaultValue: '55'
type: Text
identifier: text-9
label: Message
properties:
fluidAdditionalAttributes:
required: required
validators:
-
options:
minimum: '90'
maximum: '92'
identifier: NumberRange
-
identifier: NotEmpty
-
type: Checkbox
identifier: checkbox-1
label: DSGVO
properties:
elementDescription: ''
fluidAdditionalAttributes:
required: required
validators:
-
identifier: NotEmpty
-
renderingOptions:
submitButtonLabel: true
type: Recaptcha
identifier: recaptcha-1
label: Spamschutz
validators:
-
identifier: Recaptcha
Updated by Jarvis H almost 4 years ago
Great, thanks... which recaptcha extension are you using?
Updated by Martin Weymayer almost 4 years ago
https://extensions.typo3.org/extension/recaptcha on typo3 8.7.20 f.e.
Updated by Martin Weymayer almost 4 years ago
here if you are interested in post data from spamer:
{"tx_form_formframework":{"kontaktformular":"__state":"TzozOToiVFlQTzNcQ01TXEZvcm1cRG9tYWluXFJ1bnRpbWVcRm9ybVN0YXRlIjoyOntzOjI1OiIAKgBsYXN0RGlzcGxheWVkUGFnZUluZGV4IjtpOjA7czoxMzoiACoAZm9ybVZhbHVlcyI7YTowOnt9fQ==13bcc95d1cfcad63351a841c2d92050914d2f6fd","singleselect-1":"Herr","text-1":"\u79e6\u7c4d\u6b27","text-2":"\u79e6\u7c4d\u6b27","text-3":"","text-4":"3456288690@qq.com","text-5":"","text-6":"10024","text-7":"pakistan","text-8":"","textarea-1":"\u817e\u535a\u4f1a12\u5468\u5e74\u5e86\u5178\uff0c\u8001\u53f0\u5b50\uff0c\u5f00\u6237\u9001100\uff0c\u9996\u5b588\u500d\u6c34 \u7f51\u5740\uff1atengbo89.com","text-9":"91","kr89DRL7Vo6OG":"","checkbox-1":"1","__currentPage":"1"},"__trustedProperties":"a:1:{s:15:\"kontaktformular\";a:14:{s:14:\"singleselect-1\";i:1;s:6:\"text-1\";i:1;s:6:\"text-2\";i:1;s:6:\"text-3\";i:1;s:6:\"text-4\";i:1;s:6:\"text-5\";i:1;s:6:\"text-6\";i:1;s:6:\"text-7\";i:1;s:6:\"text-8\";i:1;s:10:\"textarea-1\";i:1;s:6:\"text-9\";i:1;s:13:\"kr89DRL7Vo6OG\";i:1;s:10:\"checkbox-1\";i:1;s:13:\"__currentPage\";i:1;}}8b1df25466df0a4129a77bd7a40aedbe1f7dc8e2"}}
Updated by Jarvis H almost 4 years ago
After testing, a solution which should definitely solve the issue is to add a validator of not empty to the captcha element, like so:
-
renderingOptions:
submitButtonLabel: true
type: Recaptcha
identifier: recaptcha-1
label: Spamschutz
validators:
-
identifier: Recaptcha
-
identifier: NotEmpty
This needs to be adjusted directly in the kontaktformular.form.yaml file. The problem occurs, as the Recaptcha Validation only happens if the field tx_form_formframework[kontaktformular][recaptcha-1] is set in the form data. In the spam form data, this field is missing and so no validation takes place. This is then fixed by adding a NotEmpty validation.
There may be another problem with the form framework itself, but I am still trying to figure out what that may be. After a closer look, it seems everything works as it should. If someone was dedicated to spamming the form containing just the honeypot this would be possible, but would require any automated scripts to be tailored to this purpose specifically.
Updated by Riccardo De Contardi over 3 years ago
Should this information be added to the EXT:recaptcha documentation?