Developer Support »

Apparent security issues with field validation  (See more user questions)

Good stuff, ! You don't owe me a thing!

I can't advise on the server response error, as I can't replicate it, and I
imagine it could differ from server to server, but as it only happens when
<script> is entered, it is never really going to be an issue.

Thank you for your patience too!

Charles Sweeney
https://formtoemail.com
The world's easiest feedback script!

----- Original Message -----
Sent: Tuesday, September 15, 2009 2:36 PM
Subject: RE: Form and script


Hi Charles,

Thank you :) I understand the <script> issue now.
I was wondering if there is a way to redirect the user back to the form page
and have the error show in the same location as the other errors instead of
getting a server error response show.
Funny thing is that the server error response only happens if someone tries
to run a script in the field. All other errors redirect properly to the form
page set in the configuration.
Anyways, thank you for the big help with the extra config needed. I believe
that solved it as the scan was done again and the form passed with no
vulnerabilities this time around with the exception of the server error
response which is considered to be a low vulnerability issue and more like a
usability problem than anything else.
If I was close buy I would buy you a pint. I still owe you one :)
I will let you when/if I am visiting overseas :)


Thank you,


-----Original Message-----
Sent: Monday, September 14, 2009 4:28 PM
Subject: Re: Form and script

Hi

The <script> is run on your own computer. It has no effect on
formtoemailpro.php which is on the server. You might get different browsers
handling it differently. You will find though, that once you use
htmlspecialchars(), then it won't be an issue.

The <script> can only get into your form fields in the event of an error,
when a visitor *returns* to the form and finds it pre-populated with the
values they entered. There is no other way to get <script> into the form
fields. So the visitor would have to enter <script> in one of the fields,
then deliberatley make an error which would return them to the form with the
<script> now in a pre-populated field. The script would then run on THEIR
computer only. Pretty pointless really, and again, should not happen at all
when you use htmlspecialchars().

Best wishes.

Charles Sweeney
https://formtoemail.com
The world's easiest feedback script!

----- Original Message -----
Sent: Monday, September 14, 2009 2:32 PM
Subject: RE: Form and script


Hi Charles,

My last question to you is:
Should the form time out if a person tries to run a <script> from the field?

If I place a <script> in any of the fields, the form tries to process (goes
to formtoemailpro.php) and times out there never returning to the form.php
page with the validation error. I get the blank page with:
IE:
Internet Explorer cannot display the webpage
Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address.

Firefox:
The connection was reset
The connection to the server was reset while the page was loading.
* The site could be temporarily unavailable or too busy. Try again in
a few
moments.
* If you are unable to load any pages, check your computer's network
connection.
* If your computer or network is protected by a firewall or proxy,
make sure
that Firefox is permitted to access the Web.

If I click on the back button I get back to form.php and can see the
validation error there:
You have entered an invalid string (<script>) in the "company" field.

Should this be happening?
I am sorry to bug you so much. I promise you that once I have learned how to
handle all these I won't be bugging you anymore. Truly sorry.

Thank you,


-----Original Message-----
Sent: Friday, September 11, 2009 6:09 PM
Subject: Re: Form and script

Thanks

It's Friday night, gone 11pm here in the UK. I will look at the report
later, but I think my answer to your other email will do the job!

Have a fab weekend!

Charles Sweeney
https://formtoemail.com
The world's easiest feedback script!

----- Original Message -----
Sent: Friday, September 11, 2009 8:25 PM
Subject: Form and script


Hi Charles,

I thought that it would be easier just to send you the form and the
script as we modified it so you can take a look at it. As well as the
webinspect report on the 6 critical issues.
It all applies to the fields and their validation.


Thank you,