Potenzielle Sicherheitslücke!

  • swka
    Gefragt am 29. Januar 2024 um 05:25

    Hallo zusammen,

    bei einer Umfrage haben es Teilnehmer geschafft, das Formular auszuhebeln und neue Antwortmöglichkeiten eingereicht.

    Wir haben über einen neuen Namen abstimmen lassen. Es standen 4 verschiedene Namen zur Auswahl. Angehängt ist ein Bild mit einer weiteren Antwort.

    Unsere IT hat das geprüft und mitgeteilt, dass man den http post request ändern und separat abschicken kann. Der Server nimmt den wert aus dem request.

    Dies verfälscht gerade bei großen Umfragen natürlich das Ergebnis der Umfrage und kann theoretisch auch dafür sorgen, dass die Umfragen am Ende unbrauchbar sind.

    Somit entsteht eine potenzielle Sicherheitslücke.Potenzielle Sicherheitslücke! Image 1 Screenshot 20


  • Rene Jotform Support
    Geantwortet am 29. Januar 2024 um 07:36

    Hi swka,

    Thanks for reaching out to Jotform Support. Unfortunately, our German Support agents are busy helping other Jotform users at the moment. I'll try to help you in English using Google Translate, but you can reply in whichever language you feel comfortable using. Or, if you'd rather have support in German, let us know and we can have them do that. But, keep in mind that you'd have to wait until they're available again.

    Now, let me help you with your question. I'm sorry that this is happening. I checked your account and I saw multiple forms from it. Can you please share with us the link to the form you're referring to so that we can assist you better and respond accordingly? However, note that the applicant might have been able to bypass the fields due to their browser's javascript being disabled/turned off. The required fields are checked using JavaScript, and as such, if they are disabled, then the user will be able to submit the form even if a required field is not filled.

    To prevent the user from submitting the form, if their javascript is disabled, you can add the NoScript widget to your form. When this widget is added to the form, it will conditionally hide the entire form and display the message you defined when JavaScript is disabled in their browser.

    Give it a try and let us know how it goes.

  • swka
    Geantwortet am 30. Januar 2024 um 02:57

    Hallo,

    bei der Umfrage handelt es sich um folgenden Link: https://form.jotform.com/swka/finale-umfrage-cafebar-informatikom

  • Ibrar Jotform Support
    Geantwortet am 30. Januar 2024 um 05:22

    Hi swka,

    Thanks for getting back to us. Unfortunately, our German Support agents are busy helping other Jotform users at the moment. I'll try to help you in English using Google Translate, but you can reply in whichever language you feel comfortable using. Or, if you'd rather have support in German, let us know and we can have them do that. But, keep in mind that you'd have to wait until they're available again.

    I cloned your form and tested it to see if I could replicate the issue, but everything was working properly. Check out the screenshots below to see my results:

    Form Submission

    Potenzielle Sicherheitslücke! Image 1 Screenshot 30

    ReportPotenzielle Sicherheitslücke! Image 2 Screenshot 41

    As mentioned by my colleague, a user may bypass the required field if they disable JavaScript. To prevent the user from submitting the form, if their JavaScript is disabled, you can add the NoScript widget to your form.


    Give it a try and reach out again if you have any other questions.