VFB form is triggering firewall blocking

  • Resolved edtorrey

    (@edtorrey)


    8 years, 4 months ago

    When not logged in and with page content not blocked, simple form used as Contact Us trigger a Local File Inclusion error. When logged in there is no error (the form does not present the numeric challenge to defeat robots). Browsers are Safari on iOS, Chrome on iOS, Firefox on Win7.

    Explanation of LFI: https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion

    My
    WP is v4.6.1
    Wordfence Security is v6.2.2
    VFB is v2.9.2

    The form collects
    Name in plain text field,
    Email in email field,
    Memo in multi line of text field.
    When not logged in the form is asking for two digits to validate a human actor.

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hello Edtorrey,

    Does the form work with Wordfence turned off? If it does, we would suggest working with Wordfence to see how an exception can me made. However, our plugin works with Wordfence all the time unless they have changed something. This honestly sounds like something server side, and you might want to work with your host so see if they have some settings preventing it from working properly.

    Hope this helps!
    Joseph Kibler
    VFBPro Support

    Thread Starter edtorrey

    (@edtorrey)

    Hi Joseph

    I apologize for the delay in my reply.
    Thank you for your broad reply. And for acknowledging the interoperability with Wordfence’s product.

    I was able to enable the VFB Form by disabling the Firewall rule for Local File Inclusion.

    To your question then, yes, by bypassing LFI.

    What you did not address at all in your broad response was to address the design for the form app to trigger LFI when the human user challenge is included.

    As the form developer, surely you must know if the code is in any way taking actions described by the open application security group in the link I provided.

    Thank you for reopening this item. I anticipate your reply.

    Cheers

    Hello,

    VFBPro is used very often with WordFence, so this may be a new development. We will have to take a look at this thank you for making us aware of this. I’ll pass this onto the developer to see if we need to look at something here.

    Thanks,
    Joseph
    VFBPro Support

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘VFB form is triggering firewall blocking’ is closed to new replies.