stackoom
  简体   繁体   中英

Form is submitting empty data

 原文  2018-02-05 17:52:18       coldfusion/ forms/ cfml

Question

We have a site to where there are a lot of different forms that are submitting the same data format. (previous developer did it this way, why I would never know) My question is, can I find out which page submitted this form data? So I can go into the file and fix the issue? Also, I understand that their is a lot of old code, (HTML 4) I'm just trying to solve the problem so I can then go back and update it to (HTML 5). Once it's fixed.

I have 2 assumptions to why the data can be submitting blank results:

  1. There is no client or server-side validation going on.
  2. It's possible a spam bot is bypassing the validation and just submitting blank data to the emails.

I went to one file that I believed was one of the problems to the issue, and modified the following code to try and stop the blank form submission results from happening. Would this still be vulnerable to blank submission results?

Form: 

<cfparam name="form.firstName"  default="">
<cfparam name="form.lastName"   default="">
<cfparam name="form.email"      default="">
<cfparam name="form.subject"    default="">
<cfparam name="form.comments"   default="">

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<title>Example form problem</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>

<meta name="viewport" content="initial-scale=1">

    <link type="text/css" rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/base/jquery-ui.css" />
    <link rel="shortcut icon" property="icon" href="favicon.ico" />
    <link rel="stylesheet" type="text/css" href="//cloud.typography.com/7136474/785948/css/fonts.css" />

    <link rel="stylesheet" href="css/style.css" TYPE="text/css">
    <link rel="stylesheet" href="css/online-reservations.css" TYPE="text/css"> 

    <link href="css/flexnav.css" media="screen, projection" rel="stylesheet" type="text/css">   

    <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script>
    <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js"></script>

    <script src="js/jquery.flexnav.js" type="text/javascript"></script>
    <script type="text/javascript">     

        jQuery(document).ready(function($) {
            // initialize FlexNav
            $(".flexnav").flexNav();
        });

    </script>

</head>

<body id="contact">

<div id="pageHeader">
<ul>  
    <li class="right">        
            <br/>
            <div class="login" style="margin-top:11px;"><span><a href="../account.cfm" title="Register or login to your account">LOGIN</a></span></div>      
    </li>
</ul>
</div><!-- END pageHeader-->


<!-- Nav -->
<div class="nav-wrapper">
<cfinclude template="includes/mobile-menu.cfm" >
</div>
<!-- /Nav -->

<br/><br/>
<br/><br/>    
<br/><br/>

<div class="full-width-light-bg blue little">
<div class="page-width light-bg">
<h1 class="skinny">Contact Us</h1>
<br/> 

<form name="ContactForm" action="_email_results.cfm" method="POST">

<div id="frmReservation">

<div class="input-wrapper">
<span>First Name</span>
<input name="FirstName" 
                message="Please enter your first name" 
                type="Text" 
                maxlength="50"
                id="firstName"
                required
</div><!--/input-wrapper-->


<div class="input-wrapper">
<span>Last Name</span>
<input  name="LastName" 
                message="Please enter your last name" 
                type="Text" 
                maxlength="50"
                id="lastName"
                required
</div><!--/input-wrapper-->


<div class="input-wrapper">
<span>E-mail Address</span>
  <input    name="email" 
                message="Please enter a valid email address" 
                type="email" 
                maxlength="50"
                id="email"
                validate="Email"
                required
</div><!--/input-wrapper-->


<div class="input-wrapper">
<span>Subject</span>
<input
    name="Subject"
    id="subject"
    type="Text"
    required >
</div><!--/input-wrapper-->


<div class="input-wrapper">
<span>Comment</span>
    <textarea name="Comments" wrap="hard"></textarea>
</div><!--/input-wrapper-->


<center><br/>
<input
    class="redButton"
    id="submitButton"
    Type=submit
    Value="Send"
    title="Submit Contact Us Form">
</center>
    <cfinclude template="../../cfformprotect/cffp.cfm">

</div><!--/#frmReservation-->
</form>   

<br class="clear" /><br/>

</div><!--END page-width light-bg-->
</div><!--END full-width-light-bg little-->


<script type="text/javascript" src="js/toggle-menu.js"></script>
    <script type="text/javascript">
        var firstName = document.getElementById('firstName');
        var lastName = document.getElementById('lastName');
        var email = document.getElementById('email');
        var subject = document.getElementById('subject');
        var submitButton = document.getElementById('submitButton');

        submitButton.addEventListener('click', function(e){
            //console.log('test');
            if(firstName.value == '' || lastName.value == '' || email.value == '' || subject.value == ''){
                alert('Please fill out all fields.');
                // Prevent form submission
                e.preventDefault();
            }
        });

    </script>
</body>
</html>

Form Data: 

<cfparam name="form.firstName"  default="">
<cfparam name="form.lastName"   default="">
<cfparam name="form.email"      default="">
<cfparam name="form.subject"    default="">
<cfparam name="form.comments"   default="">

<!doctype html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="refresh" content="3; url=index.cfm">
<title>Thank you for submitting your notes</title>
<link rel="stylesheet" type="text/css" href="//cloud.typography.com/7136474/785948/css/fonts.css" />
<link rel="stylesheet" href="css/style.css" TYPE="text/css">
</head>

<body id="contact">
<br/><br/>
<h1 align="center" class="color-white">Thank You For Contacting Us!</h1>
<div align="center" class="color-white">You will be re-directed</div>
<CFOUTPUT>
<CFSAVECONTENT variable="EmailContent">
<font Face="arial,helvetica" size="1">
<table bgcolor="white" width="600" style="font-family:'Arial',Helvetica;font-size:11px;">
<tr bgcolor="BAD8EA">
    <td colspan=3>Center Reservation</td>
</tr>
<tr>
    <td width="150">Date: #DateFormat(NOW())# at #Timeformat(NOW())#</td>
    <td>&nbsp;</td>
</tr>

<tr bgcolor="e43226">
    <td colspan=3></td>
</tr>
<tr>
    <td>First Name:</td>
    <td>#form.firstName#</td>
</tr>

<tr bgcolor="e43226">
    <td colspan=3></td>
</tr>
<tr>
    <td>Last Name:</td>
    <td>#form.lastName#</td>
</tr>

<tr bgcolor="e43226">
    <td colspan=3></td>
</tr>
<tr>
    <td>Email Address</td>
    <td>#form.email#</td>
</tr>

<tr bgcolor="e43226">
    <td colspan=3></td>
</tr>
<tr>
    <td>Subject:</td>
    <td>#form.subject#</td>
</tr>

<tr bgcolor="e43226">
    <td colspan=3></td>
</tr>
<tr>
    <td>Comments:</td>
    <td>#form.comments#</td>
</tr>

<tr bgcolor="e43226">
    <td colspan=3></td>
</tr>

</table>
</font>
</CFSAVECONTENT>
</CFOUTPUT>

<cfif form.firstName EQ '' || form.lastName EQ '' || form.email EQ '' || form.subject EQ ''>
    <!--- Do nothing do not email the results --->
    <cfelse>
        <!--- Submit the form --->
        <cfmail to      ="test@test.com"
                cc      ="test@test.com"
                bcc     =""
                from    ="#AppVars.mailfrom#"
                server  ="#AppVars.mailserver#"
                type    ="html"
                subject ="Form issue">
            #EmailContent#  
        </cfmail>
</cfif>

</body>
</html>

2 answers

solution1
 2 ACCPTED  2018-02-05 18:21:06

This is more of a long comment than an answer, but here goes. Consider using CSRF tokens.

The page that has form should have 

<input name="token" value="#csrfToken#" type="hidden" />

The response page should have 

<cfif !CSRFverifyToken(form.token)>
   <p>I am going going to run this page</p>
   <cfexit>
</cfif>

This might help take care of some of the attacks

Cross Site Request Forgery also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a malicious attack to exploit a website's trust in a user's browser. The attacker tries to get the user's own web browser (or web application) to execute unwanted commands.

For more info on CSRF: https://stackoverflow.com/tags/csrf/info

solution2
 0  2018-03-04 23:18:08

Direct Answer: to work out what page submitted the data you would need to store cgi.http_referrer along with the form.

I would also suggest CSRF answer above, but your question asks how to find out what form submitted, not if it did.

I'd also set your content-security-policy headers on your webserver to limit sources of information.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ColdFusion form not submitting data to database ColdFusion submitting a form Form not submitting values to coldfusion Variable is undefined when submitting form? Password Strength validator not submitting the form Submitting a form value straight into the URL? Submitting to a remote .cfm file using an html form Submitting form in Coldfusion causes basket discrepancy jQuery Confirm in CFSelect Box Without Submitting Form JWildCardHandler Internal 500 Error when submitting form
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM