VSF icon indicating copy to clipboard operation
VSF copied to clipboard

Published 20 hours ago verified publisher icon comotion

Only checking first variable?

Open skmbr opened this issue 9 years ago • 4 comments

Hi There,

I am currently experimenting with VSF on a development server and am finding that it only catches malicious content if it was put in the first field of a form.

Something like this for example:

<script>alert(1);</script>

Causes a 403 to be returned if put in the very first element of any form that I have tested. If I put that in any other field, VSF ignores it.

Is anyone else seeing similar behaviour or have I just set something up wrong? Currently I have a completely out-of-the-box config and just followed the install instructions from here. No other changes have been made.

Any help of advice would be greatly appreciated! Thanks!

skmbr avatar Mar 11 '15 15:03 skmbr

Further to this, I have just discovered that this only occurs on forms that are multipart/form-data encoded.

skmbr avatar Mar 11 '15 15:03 skmbr

Long due update..

We had a discussion with @comotion today about this among other things.

Handling of form-data and multiple elements will be implemented in the vsf vmod. Potential syntax:

  • Iterating directly:
if (vsf.each(data, "..")) {
 ...
}
  • Iterating via the form object:
form = new vsf.form(2048B);
...
if (form.each(data, "..")) {
  ...
}

Maybe others.

There are some outstanding details to close before deciding.

fgsch avatar Jul 28 '15 17:07 fgsch

Hi fgsch,

Good day, any progress on this you guys made so far?

hellracer avatar Oct 19 '15 03:10 hellracer

@hellracer Not really. I've been quite busy.

That said, the latest code won't try to parse the form so you can check the raw data.

fgsch avatar Oct 21 '15 23:10 fgsch