Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • marcelh 171 posts 471 karma points
    Jan 22, 2018 @ 15:50
    marcelh
    1

    Magic strings data leak

    Running the latest version of Umbraco 7.7.8 and Forms 6.0.6 I'm getting strange results when using the so-called magic strings to populate fields with default values. The form values (or magic strings?) are being cached between requests and browsers and result in a major data leak!

    This happens to url values (@...), page values (#...) but also member values!

    For anyone running into this, setting the value of DisableFormCaching to True in UmbracoForms.config resolves the issue (but I don't know what the side effects are).

    <setting key="DisableFormCaching" value="True" />
    

    Steps to reproduce: 1) Create a Visual Studio solution and install the latest Umbraco and Forms packages. 2) Go to the Forms section and Create a simple form, containing a Name, Email and Page field and set the default values to {member.Name}, {member.Email} and [#pageName] respectively. 3) Go to the Settings section, modify the Content Page and add a Form picker 4) In the Settings section, alter the Content Page template and include the following snippet in the col-md-9 div:

    @{
        if (Model.Content.Form != null)
        { Html.RenderAction("RenderForm", "UmbracoForms", new { formId = Model.Content.Form, theme = "bootstrap3" }); }
    }
    

    To make the Forms work, also include a Header section with the following scripts:

    @section Header
    {
    <script src="https://ajax.aspnetcdn.com/ajax/jQuery/jquery-2.1.1.min.js"></script>
    <script src="https://ajax.aspnetcdn.com/ajax/jquery.validate/1.13.1/jquery.validate.min.js"></script>
    <script src="https://ajax.aspnetcdn.com/ajax/mvc/5.1/jquery.validate.unobtrusive.min.js"></script>
    }
    

    5) Finally, in the Content section add three pages (Page One, Page Two, Page Three) and on all pages select the form created in step 2.

    Result: When you open one of the selected pages, note that the initial page shows the correct Page value in the form field, but any of the other created pages will show the value of the first viewed page.

    A step further, add some members and login: 1) In the Member section add two members (John First, Mike Second) 2) In the Settings section, add two Login templates and copy the contents from ContentPage. Replace inner HTML of the container div with the following snippets

    @{
        if (Members.IsLoggedIn())
        {
            <p>@Members.CurrentUserName</p>
        }
        else
        {
            Members.Login("[email protected]","johnfirst1");
        }
    }
    

    And for the second template

    @{
        if (Members.IsLoggedIn())
        {
            <p>@Members.CurrentUserName</p>
        }
        else
        {
            Members.Login("[email protected]","mikesecond1");
        }
    }
    

    3) In the Settings section, go to Document Types and add the Login templates as allowed template for Content Page. 4) In the Content section and add a Content Page and set the template to Login1 to login John First. Add a second Content Page and set the template to Login2 to login Mike Second.

    Result: When you open Login1 in a first browser and Login2 in a second, different browser notice that the values in the forms contain the same values, depending on which form/member is viewed first.

    I think this is related to the following caching keys in HttpContext.Current.Cache:

    • "umbrtmche-Forms.FormStorage.All"
    • "umbrtmche-Forms.Member1148"
    • "umbrtmche-Forms.Member1148.Values"

    Note that only the first member is loaded in the cache (Member1148 which is John First). The second members never shows up (appears).

    To me this seams to be a major security leak and I think is related to this bug report: http://issues.umbraco.org/issue/CON-1458

  • Heather Floyd 610 posts 1032 karma points MVP 6x c-trib
    Feb 01, 2018 @ 04:32
    Heather Floyd
    0

    I noticed the same issue myself today. I was using query string params to pre-populate fields, and even on different computers the last-used value was appearing - not the value in the current browser url.

    Thanks for the UmbracoForms.config tip - that fixed it for me as well.

  • marcelh 171 posts 471 karma points
    Feb 01, 2018 @ 08:15
    marcelh
    100

    Thanks for responding, and voting. I found it astounding that this caching was forming a major data leak. And I think this DisableFormCaching option should be switched on by default. So for anyone running into this:

    <setting key="DisableFormCaching" value="True" />
    
  • Sebastiaan Janssen 5060 posts 15522 karma points MVP admin hq
    Feb 02, 2018 @ 13:11
    Sebastiaan Janssen
    0

    Thanks for noticing this!

    Please make sure that if you find issues like this to shoot us an email at [email protected] so we can fix it ASAP. It's on our list to fix early next week, keep an eye on the issue tracker for progress:

    http://issues.umbraco.org/issue/CON-1494

  • marcelh 171 posts 471 karma points
    Feb 02, 2018 @ 13:13
    marcelh
    0

    Thanks for replying, Sebastiaan. I wasn't aware of this e-mail option so thanks for bringing that to my attention! I already created an issue for this on the tracker, perhaps you can merge them: http://issues.umbraco.org/issue/CON-1458

  • Sebastiaan Janssen 5060 posts 15522 karma points MVP admin hq
    Feb 02, 2018 @ 13:52
    Sebastiaan Janssen
    2

    Ah no worries, the security address comes with a detailed description on the website as well - https://umbraco.com/security

    Cool I'll merge the issues, thanks!

Please Sign in or register to post replies

Write your reply to:

Draft