Author Topic: Membership signup - bypassing the required fields - security issue? (Read 2310 times)

KarinG · May 15, 2013, 08:23:47 pm

We're seeing some annoying traffic from a specific IP on one of our sites. Somehow they are successfully submitting a form - without - filling out the required fields on a Membership signup - Contribution Page:

http://www.greenschools.ca/civicrm/contribute/transact?reset=1&id=3

The Email confirmation as a result of traffic from that specific IP surprisingly does not contain any of the required Organization Details fields:

Thank you for registering in the GREEN Schools online community.
Membership Information
Membership Type    GREEN Schools Membership
Membership Start Date    May 15th, 2013
Personal - Profile
First Name    vpfgvfegazCB
Last Name    yqtcvfcovsCB

If this is a bot that somehow bypasses the jQuery bits that are re: On behalf of Organization signup but - how does it pass or bypass The reCaptcha that is attached to the Personal - Profile?

We've now blocked this IP - The IP originated from France - so we're quite sure they weren't looking for a legitimate GREEN Schools Canada membership! But we're puzzled as to how this can happen and what it means for other Contribution pages.

adixon · May 16, 2013, 05:35:27 am

My best guess about what's going on here is:

1. The 'require sign up on behalf of an organization' appears to be implemented entirely with javascript. When I turn off javascript, then the page behaves as if that configuration wasn't set (does not even display the option to signup up on behalf of an organization).

2. The submissions are coming from a person who's trolling around with javascript turned off, that's how they are getting through the recaptcha.

So - the issue of spam getting through is probably not an actionable issue here.

The issue of requiring javascript to implement the on-behalf-of requirement - that seems a bit of a dangerous road. As a general principal, javascript isn't supposed to implement required fields functionality on it's own. Is this a case where it actually makes sense, or is it a special case, or what?

Dave Greenberg · May 16, 2013, 11:05:28 am

We agree that relying on Javascript for required fields isn't great, AND Coleman on our team spend a big chunk of time fixing front-end pages to handle no-javascript conditions as best as we could for the 4.3 release.

I just verified on a 4.3 sandbox that the On Behalf field are displayed and the requirements are enforced with Javascript disabled.

KarinG · May 16, 2013, 11:11:46 am

Excellent. Thank you Dave and thank you Coleman! GREEN Schools is indeed still on the 4.2.x - branch. I have started scheduling 4.3.x upgrades for our projects starting next month. Glad to hear this has already been addressed. Awesome!

CiviCRM Community Forums (archive)

News:

Author Topic: Membership signup - bypassing the required fields - security issue? (Read 2310 times)

KarinG

Membership signup - bypassing the required fields - security issue?

adixon

Re: Membership signup - bypassing the required fields - security issue?

Dave Greenberg

Re: Membership signup - bypassing the required fields - security issue?

KarinG

Re: Membership signup - bypassing the required fields - security issue?