laminas
$value['id'] is not validated against invalid characters
Bug Report
| Q | A |
|---|---|
| Version(s) | 2.9.0 + 2.10.0 |
Summary
We've seen a rising in error messages of this kind: Laminas\Session\Exception\InvalidArgumentException /PROJECT/src/vendor/laminas/laminas-session/src/AbstractContainer.php Name passed to container is invalid; must consist of alphanumerics, backslashes and underscores only
They all occur on our different contact forms.
Current behavior
If a malicious user modifies the value of the hidden form field "captcha[id]" it will result in a InvalidArgumentException:
Laminas\Session\Exception\InvalidArgumentException /PROJECT/vendor/laminas/laminas-session/src/AbstractContainer.php Name passed to container is invalid; must consist of alphanumerics, backslashes and underscores only 0 /PROJECT/vendor/laminas/laminas-captcha/src/AbstractWord.php(260): Laminas\Session\AbstractContainer->__construct() 1 /PROJECT/vendor/laminas/laminas-captcha/src/AbstractWord.php(289): Laminas\Captcha\AbstractWord->getSession() 2 /PROJECT/vendor/laminas/laminas-captcha/src/AbstractWord.php(402): Laminas\Captcha\AbstractWord->getWord() 3 /PROJECT/vendor/laminas/laminas-validator/src/ValidatorChain.php(245): Laminas\Captcha\AbstractWord->isValid() 4 /PROJECT/vendor/laminas/laminas-inputfilter/src/Input.php(433): Laminas\Validator\ValidatorChain->isValid() 5 /PROJECT/vendor/laminas/laminas-inputfilter/src/BaseInputFilter.php(274): Laminas\InputFilter\Input->isValid() 6 /PROJECT/vendor/laminas/laminas-inputfilter/src/BaseInputFilter.php(228): Laminas\InputFilter\BaseInputFilter->validateInputs() 7 /PROJECT/vendor/laminas/laminas-form/src/Form.php(531): Laminas\InputFilter\BaseInputFilter->isValid() 8 /PROJECT/module/Frontend/src/Controller/IndexController.php(210): Laminas\Form\Form->isValid()
How to reproduce
Create a form and add the Captcha::class. Options along those lines:
'captcha' => [ 'class' => 'Image', 'font' => '/usr/share/fonts/truetype/lato/Lato-Bold.ttf', 'ImgDir' => './public/frontend/captcha/', 'ImgUrl' => '/captcha/', 'wordLen' => 5, 'DotNoiseLevel' => 5, 'LineNoiseLevel' => 3, ],
In your Browser-Inspector modify the captcha[id]-Value by replacing one character with a special character like "[" and then submit the form.
Expected behavior
If attacker modifies the value for captcha[id] it should simply be rejected.
The solution should be pretty simple in laminas-captcha/src/AbstractWord.php: line 396 to 399 validates only against existence: if (! isset($value['id'])) {
And something like that would validate against the correct values (same regex as in laminas-session/src/AbstractContainer.php):
if (! preg_match('/^[a-z0-9][a-z0-9_\\\\]+$/i', value['id'])) { $this->error(self::MISSING_ID); return false; }
still open and active bug, at least - stopps hacker from sending actual emails...(but floods mails logs) i even noticed that its's possible to reuse a captcha multiple times until the expiration time is expired - thats a seperate bug....
