Thread

Hi

I’ve come across an issue raised by a pen test on a site we’ve built where if we change the hidden ACT field on forms we can submit data to the WRONG “action”... This could lead to a couple of security issues according to the pen testers and I wondered if there is a way we can hide this ACT or encrypt it in some way?!?

Thanks
Jon

Hi Jon,

Do you have the following preference set to ‘Yes’?

Admin > Security and Session Preferences > Process all forms in secure mode

That’s recommended, and having that setting turned on will prevent anyone from messing with the form parameters using Firebug or similar tools.

Thanks for you answer but unfortunately we do have that setting set to “yes” but it doesn’t prevent me changing the parameter in Firebug and submitting the form with a different action set!

Hi Jon,

The parameter can always be changed, sure. But what specific security issues does this bring up? Your session’s credentials should always be verified by the requested module before taking any administrative or potentially dangerous actions.

We take security very seriously and have an excellent track record, so I want to be sure we’re on the same page here.

The company doing the security testing raised an issue that ACT 1 “might” be succeptable to xpath injections - I cannot create any myself but it’s a little outside my expertise to be honest.  Would it be possible to somehow encrypt this variable and then decrypt again during the action processing?

The fact these fields are exposed concerns me somewhat too…

<input type=“hidden” value=”” name=“status”>
<input type=“hidden” value=“not home-features|footer-panels” name=“channel”>
<input type=“hidden” value=“everywhere” name=“search_in”>

Especially the channel one… is there anyway I can hide this information?  Is there a guide to creating my own forms instead of having to use these variables anywhere or has anyone else come across any issues with the way EE handles forms like this?

OK I found a way to encrypt the search form ACT as a test… Am I unnecessarily concerned here?  I personally think encrypting these params is a good idea to help prevent attacks but there must eb a reason that EllisLabs didn’t as they are so good at this sort of stuff right?!

Hi Jon,

What version of EE are you testing?

Hi Brandon. We’re on 2.1.0

Hi John,

I believe there was some encryption added to those fields to prevent “leakage” when using the search module, but that was after 2.1.0. We’re on 2.2.1 now, so it’d be advisable to upgrade and test against that.

Nothing changed as far as the action parameters, and though I’m still not seeing an exploitable issue, encrypting those would definitely be a nice feature . If you do find an issue, please feel free to MSG me directly. Also, note that the action IDs can change from installation to installation (i.e. action 1 may not always be associated with the same module).