Bug reports Found a bug? Post it here please.
Version 4.x > Bug reports > Potential cross-site request forgery with BizForms View modes: 
User avatar
Member
Member
Josh Larios - 12/10/2009 4:26:11 PM
   
Potential cross-site request forgery with BizForms
While form input data is sanitized before display everywhere I've found in the CMS (that is, via the web), it doesn't seem to be sanitized in the Autoresponder or Notification email messages that (optionally) get sent when a BizForm is submitted. This leads to the slim, but non-zero, possibility that an attacker could use a BizForm for a cross-site request forgery aimed at either the recipient of the Notification emails or an arbitrary email address via the Autoresponder.

Sanitizing the input data (< to <, & to &, > to >) in email the same way it's sanitized in BizForm_Edit_Data.aspx and BizForm_Edit_EditRecord.aspx would eliminate this threat.

User avatar
Member
Member
Josh Larios - 12/13/2009 6:44:58 PM
   
RE:Potential cross-site request forgery with BizForms
Heh. Let me try that sanitization again:

< to &lt;
> to &gt;
& to &amp;

User avatar
Kentico Support
Kentico Support
kentico_jurajo - 12/14/2009 2:40:01 AM
   
RE:Potential cross-site request forgery with BizForms
Hi,

In general you are right, but we cannot do this in general since some users may require this current behavior. It also depends on the field type.

In this case, you can create your custom form control for this, e.g. a textbox and you will encode its value by default, so the cross site attack won't be possible.

Best Regards,
Juraj Ondrus

User avatar
Member
Member
Josh Larios - 12/14/2009 10:36:13 AM
   
RE:Potential cross-site request forgery with BizForms
Let me make sure I understand your response. Are you saying that the way to prevent cross-site request forgeries in the BizForm module is to not use any of Kentico's built-in form controls, instead writing all new ones? If that's the case, I think I'd rather just tell all our users that the "form to email" functionality in Kentico is broken, and disable it completely.

It seems like a per-form option to choose whether to encode the values in email or not (with the default being "not", for those users who would be surprised by the change) would be a better way to go. I'll just head over to the feature request forum, I guess.

User avatar
Kentico Support
Kentico Support
kentico_jurajo - 12/15/2009 8:26:09 AM
   
RE:Potential cross-site request forgery with BizForms
Hi again,

I have consulted it with our developers and in the upcoming version 5.0 there will be a new property for Bizform web part added. It will indicate whether the notification e-mail should be encoded or not.

Best Regards,
Juraj Ondrus

User avatar
Member
Member
Josh Larios - 12/15/2009 11:09:29 AM
   
RE:Potential cross-site request forgery with BizForms
Awesome, thanks!