Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Jo Kendal 32 posts 194 karma points
    Jul 28, 2023 @ 10:31
    Jo Kendal
    0

    Scan Reports Security Vulnerability - Umbraco Forms (Current installed version of Umbraco Forms: 11.1.2)

    Security Vulnerability - Umbraco Forms (Current installed version of Umbraco Forms: 11.1.2)

    I am getting a reported HIGH PRIORITY security vulnerability which identifies the g-recaptcha-response field on a form as the culprit.

    Java Object Deserialization Instance VULNERABILITY CRITICAL PLUGIN ID 9878

    I 'feel' this a false positive because it appears to be simply used by google's recaptcha service so not stored or dealt with by the website but can anyone expand, help with a better response.

    Looking at the source the addition of the recaptcha field adds the following to my Umbraco Form

    The script seems to place the token value received by recaptcha into the field - but where is that eventually processed, is that processed by Google recaptcha service directly on submission?

     <input type="hidden" id="XXXXXXXXXX" name="g-recaptcha-response" />
    
    
    
    
    <script type="application/javascript">
                (function (window, document) {
                    var hiddenField = document.getElementById('XXXXXXXXXX');
                    var timerFunction = function () {
                        window.grecaptcha.execute('YYYYYYYYYY, { action: 'umbracoform_submit' }).then(function (token) {
                            // Enable the submit button now we have a token
                            hiddenField.form.querySelector('[type=submit]').removeAttribute('disabled');
                            hiddenField.value = token;
                        });
                        setTimeout(timerFunction, 60*1000);
                    };
    
                    document.addEventListener('DOMContentLoaded', function () {
                        // Disable the submit button for this form, until we actually have a key from Google reCAPTCHA
                        hiddenField.form.querySelector('[type=submit]').setAttribute('disabled','disabled');
    
                        window.grecaptcha.ready(function () {
                            timerFunction();
                        });
                    });
                })(window, document);
            </script>
    
  • Tony 4 posts 75 karma points hq
    Aug 02, 2023 @ 10:26
    Tony
    1

    enter image description here

    It does seem like a false positive from the tool, but just to be sure, would it be possible for the support team of the tool to share more details as to what kind of attack it can foresee and at which stage of the sequence in the diagram attached?

    Please share the details with security [at] umbraco.com and avoid posting the details on this public forum. Thanks in advance.

  • Jo Kendal 32 posts 194 karma points
    Aug 02, 2023 @ 13:18
    Jo Kendal
    0

    Hi

    Will do. I have a ticket with security@ out there now.

  • Huw Reddick 1929 posts 6717 karma points MVP 2x c-trib
    Aug 02, 2023 @ 12:20
    Huw Reddick
    2

    you should email [email protected] rather than post it on the forums

Please Sign in or register to post replies

Write your reply to:

Draft