Security Vulnerability - Umbraco Forms (Current installed version of Umbraco Forms: 11.1.2)
I am getting a reported HIGH PRIORITY security vulnerability which identifies the g-recaptcha-response field on a form as the culprit.
Java Object Deserialization Instance
VULNERABILITY CRITICAL PLUGIN ID 9878
I 'feel' this a false positive because it appears to be simply used by google's recaptcha service so not stored or dealt with by the website but can anyone expand, help with a better response.
Looking at the source the addition of the recaptcha field adds the following to my Umbraco Form
The script seems to place the token value received by recaptcha into the field - but where is that eventually processed, is that processed by Google recaptcha service directly on submission?
<input type="hidden" id="XXXXXXXXXX" name="g-recaptcha-response" />
<script type="application/javascript">
(function (window, document) {
var hiddenField = document.getElementById('XXXXXXXXXX');
var timerFunction = function () {
window.grecaptcha.execute('YYYYYYYYYY, { action: 'umbracoform_submit' }).then(function (token) {
// Enable the submit button now we have a token
hiddenField.form.querySelector('[type=submit]').removeAttribute('disabled');
hiddenField.value = token;
});
setTimeout(timerFunction, 60*1000);
};
document.addEventListener('DOMContentLoaded', function () {
// Disable the submit button for this form, until we actually have a key from Google reCAPTCHA
hiddenField.form.querySelector('[type=submit]').setAttribute('disabled','disabled');
window.grecaptcha.ready(function () {
timerFunction();
});
});
})(window, document);
</script>
It does seem like a false positive from the tool, but just to be sure, would it be possible for the support team of the tool to share more details as to what kind of attack it can foresee and at which stage of the sequence in the diagram attached?
Please share the details with security [at] umbraco.com and avoid posting the details on this public forum. Thanks in advance.
Scan Reports Security Vulnerability - Umbraco Forms (Current installed version of Umbraco Forms: 11.1.2)
Security Vulnerability - Umbraco Forms (Current installed version of Umbraco Forms: 11.1.2)
I am getting a reported HIGH PRIORITY security vulnerability which identifies the g-recaptcha-response field on a form as the culprit.
Java Object Deserialization Instance VULNERABILITY CRITICAL PLUGIN ID 9878
I 'feel' this a false positive because it appears to be simply used by google's recaptcha service so not stored or dealt with by the website but can anyone expand, help with a better response.
Looking at the source the addition of the recaptcha field adds the following to my Umbraco Form
The script seems to place the token value received by recaptcha into the field - but where is that eventually processed, is that processed by Google recaptcha service directly on submission?
It does seem like a false positive from the tool, but just to be sure, would it be possible for the support team of the tool to share more details as to what kind of attack it can foresee and at which stage of the sequence in the diagram attached?
Please share the details with security [at] umbraco.com and avoid posting the details on this public forum. Thanks in advance.
Hi
Will do. I have a ticket with security@ out there now.
you should email [email protected] rather than post it on the forums
is working on a reply...