Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

$value['id'] is not validated against invalid characters #13

Open
damac23 opened this issue Jun 21, 2021 · 0 comments
Open

$value['id'] is not validated against invalid characters #13

damac23 opened this issue Jun 21, 2021 · 0 comments
Labels
Bug Something isn't working

Comments

@damac23
Copy link

damac23 commented Jun 21, 2021

Bug Report

Q A
Version(s) 2.9.0 + 2.10.0

Summary

We've seen a rising in error messages of this kind:
Laminas\Session\Exception\InvalidArgumentException
/PROJECT/src/vendor/laminas/laminas-session/src/AbstractContainer.php
Name passed to container is invalid; must consist of alphanumerics, backslashes and underscores only

They all occur on our different contact forms.

Current behavior

If a malicious user modifies the value of the hidden form field "captcha[id]" it will result in a InvalidArgumentException:

Laminas\Session\Exception\InvalidArgumentException
/PROJECT/vendor/laminas/laminas-session/src/AbstractContainer.php
Name passed to container is invalid; must consist of alphanumerics, backslashes and underscores only
0 /PROJECT/vendor/laminas/laminas-captcha/src/AbstractWord.php(260): Laminas\Session\AbstractContainer->__construct()
1 /PROJECT/vendor/laminas/laminas-captcha/src/AbstractWord.php(289): Laminas\Captcha\AbstractWord->getSession()
2 /PROJECT/vendor/laminas/laminas-captcha/src/AbstractWord.php(402): Laminas\Captcha\AbstractWord->getWord()
3 /PROJECT/vendor/laminas/laminas-validator/src/ValidatorChain.php(245): Laminas\Captcha\AbstractWord->isValid()
4 /PROJECT/vendor/laminas/laminas-inputfilter/src/Input.php(433): Laminas\Validator\ValidatorChain->isValid()
5 /PROJECT/vendor/laminas/laminas-inputfilter/src/BaseInputFilter.php(274): Laminas\InputFilter\Input->isValid()
6 /PROJECT/vendor/laminas/laminas-inputfilter/src/BaseInputFilter.php(228): Laminas\InputFilter\BaseInputFilter->validateInputs()
7 /PROJECT/vendor/laminas/laminas-form/src/Form.php(531): Laminas\InputFilter\BaseInputFilter->isValid()
8 /PROJECT/module/Frontend/src/Controller/IndexController.php(210): Laminas\Form\Form->isValid()

How to reproduce

Create a form and add the Captcha::class. Options along those lines:
'captcha' => [ 'class' => 'Image', 'font' => '/usr/share/fonts/truetype/lato/Lato-Bold.ttf', 'ImgDir' => './public/frontend/captcha/', 'ImgUrl' => '/captcha/', 'wordLen' => 5, 'DotNoiseLevel' => 5, 'LineNoiseLevel' => 3, ],

In your Browser-Inspector modify the captcha[id]-Value by replacing one character with a special character like "[" and then submit the form.

Expected behavior

If attacker modifies the value for captcha[id] it should simply be rejected.

The solution should be pretty simple in laminas-captcha/src/AbstractWord.php:
line 396 to 399 validates only against existence: if (! isset($value['id'])) {

And something like that would validate against the correct values (same regex as in laminas-session/src/AbstractContainer.php):
if (! preg_match('/^[a-z0-9][a-z0-9_\\\\]+$/i', value['id'])) { $this->error(self::MISSING_ID); return false; }
@damac23 damac23 added the Bug Something isn't working label Jun 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@damac23