tinfoilsecurity.com suppose that countact form 7 could be not safe
-
I checked my “contact form 7” webform https://www.cabdrome.com/contact-us/ with tinfoilsecurity.com and they say that there could be at least 15 security holes about it:
1) Blind SQL Injection (timing attack)
Variable _wpcf7_locale
Variable _wpcf7_version
Variable analytics
Variable hidden-222
Variable your-nameInjected Value: 4 or sleep(16)=0 LIMIT 1–
SUGGESTION:
Suppression of error messages leads to security through obscurity which is not a good practice. The web application needs to enforce stronger validation on user inputs. User inputs must be validated and filtered before being included in database queries. We highly recommend making use of bind variables in your SQL queries. Database permissions should also be set carefully; for example it is likely a web application should not be allowed to drop tables. Database users and permissions can be segmented further to limit the damage or disclosure during a breach. If you take an approach of sanitizing and stripping inputs, it is very important to take a whitelist approach rather than a blacklist approach if you strip specific commands or strings out. Using a blacklist of disallowed commands or symbols is always vulnerable, as a skilled attacker can get around your filters by simply putting commands/symbols inside other ones and crafting strings in other ingenious ways. With a whitelist, an attacker is limited to only those you allow.2) Code injection (timing)
Variable _wpcf7_locale
Variable _wpcf7_unit_tag
Variable analytics
Variable post_url
Variable your-name
Variable _wpnonce
Injected Value: sleep(16000/1000);
SUGGESTION:
User inputs must be validated and filtered before being evaluated as executable code. Better yet, the web application should stop evaluating user inputs as any part of dynamic code altogether.3) Operating system command injection (timing attack)
Variable _wpcf7_locale
Variable analytics
Variable post_url
Variable _wpcf7_locale
Variable _wpcf7_unit_tag
Variable your-name
Injected Value: sleep 16
SUGGESTION:
User inputs must be validated and filtered before being evaluated as OS level commands. If possible the web application should communicate with the OS through another application acting as a gatekeeper or proxy. If you take an approach of sanitizing and stripping inputs, it is very important to take a whitelist approach rather than a blacklist approach if you strip specific commands or strings out. Using a blacklist of disallowed commands or symbols is always vulnerable, as a skilled attacker can get around your filters by simply putting commands/symbols inside other ones and crafting strings in other ingenious ways. With a whitelist, an attacker is limited to only those you allow.
- The topic ‘tinfoilsecurity.com suppose that countact form 7 could be not safe’ is closed to new replies.