$value['id'] is not validated against invalid characters #13
Labels
Bug
Something isn't working
Comments
|
still open and active bug, at least - stopps hacker from sending actual emails...(but floods mails logs) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bug Report
Summary
We've seen a rising in error messages of this kind:
Laminas\Session\Exception\InvalidArgumentException
/PROJECT/src/vendor/laminas/laminas-session/src/AbstractContainer.php
Name passed to container is invalid; must consist of alphanumerics, backslashes and underscores only
They all occur on our different contact forms.
Current behavior
If a malicious user modifies the value of the hidden form field "captcha[id]" it will result in a InvalidArgumentException:
How to reproduce
Create a form and add the Captcha::class. Options along those lines:
'captcha' => [ 'class' => 'Image', 'font' => '/usr/share/fonts/truetype/lato/Lato-Bold.ttf', 'ImgDir' => './public/frontend/captcha/', 'ImgUrl' => '/captcha/', 'wordLen' => 5, 'DotNoiseLevel' => 5, 'LineNoiseLevel' => 3, ],In your Browser-Inspector modify the captcha[id]-Value by replacing one character with a special character like "[" and then submit the form.
Expected behavior
If attacker modifies the value for captcha[id] it should simply be rejected.
The solution should be pretty simple in laminas-captcha/src/AbstractWord.php:
line 396 to 399 validates only against existence: if (! isset($value['id'])) {
And something like that would validate against the correct values (same regex as in laminas-session/src/AbstractContainer.php):
if (! preg_match('/^[a-z0-9][a-z0-9_\\\\]+$/i', value['id'])) { $this->error(self::MISSING_ID); return false; }The text was updated successfully, but these errors were encountered: