I have a Magento website and I’ve installed some different kinds of forms like quickcontact and product questions but when i run a security scan from MaAfee it comes back as a Vulnerability because an attacker can harvest peoples email addresses.
Unencrypted Sensitive Form Detected
I noticed the Magento default contact form doesn’t cause any security errors and it’s not on a secure page.
How can I make these forms secure like the contact us form? I don’t want to make the pages SSL because they are just scattered here and there and the product question form is on the product page. There must be something different about the Contact Us default Magento form that the others don’t do.
Look at the code on the page with the form. It could be using some JavaScript code which splits the e-mail address into different parts before attaching it to the get or post string (if it’s post, change the method to get and look at the string being sent). That’s called security by obfuscation and is of little value (except in not triggering McAfee’s sensor).
IMHO, if you want security, you must use SSL … but then you must also consider what you do with the data when it gets to the server (encrypt if it’s going to be stored in a database/flat file) or sent IN THE CLEAR to you. In other words, there is little benefit to encrypt data to get it to the server if you’re going to leave it there or retransmit to you via e-mail without further encryption.
Security is a trade-off between convenience, cost and security (not sharing the data with unintended third parties). If your data is valuable enough (credit card numbers, security codes, names and expiration dates), you are required by law to keep it safe or irretrievably destroy the data. If it’s just an e-mail address, there’s little value (except to spambots) so the need for security is diminished.
I use SSL on my customer account pages and checkout. I removed these programs mentioned above and installed another form processor but that didn’t work either. So now I’m trying Magento’s native form processing. But the scan keeps finding something wrong. Just three things but unless I can fix them I can’t be PCI complaint. A couple things I removed like page tracker, which isn’t a form but the scan says it’s vulnerable to injection. Yes, most of my security issues seem to be with forms that only collect name and email address.
I don’t keep credit card information but I would like to because I always thought it was nice on a second purchase not to have to re-enter credit card info. But it’s not real important but might be a convenience to the customer. It’s not really to secure the customers email address (although that would be ideal) but to I guess protect the whole site form some kind of XSS attack.
Anyway, it looks like I’m suppose to change my form (and any other place) with what appears to be html entities. Like change <input … to <input … but that doesn’t work. When I do that it displays the input on the page as text. So now it seems what I need is some kind of script that does “search and replace?!”
For an example here’s one place the scan says is vulnerable:
It took me a long time to figure the code for that! Now McAfee says it’s vulnerable. It doesn’t appear to be related to a form. It’s so when people “Like” a product it will create a link straight to that product page and not just to the home page.
If McAfee doesn’t like you to accept name and e-mail addresses, then build code which examines the values before submission (or deals with bad characters after submission - but that would still allow McAfee to whine about the form). For instance, neither names nor address should have HTML code within those fields and allowing an unescaped apostrophe is near-sure sign of a classic SQL injection attack. E-mail addresses are subject to strict guidelines so it’s easy to find JavaScript code to block submission if the e-mail address is malformed - and better to use the ones which can check MX records!
Regular expressions are a terrific way to validate the format and content of form fields before submission (and should be mandatory by the receiving script before doing anything with the data submitted).
Think out of the box, too: Split the name field into first and last names and the e-mail address can easily be split on the @ character so getting around your McAfee scanner should be simply (without annoying your visitors). It will also benefit you as it’s easier to check the “partial fields” before submitting.
May be magento uses a self-signed certificate in default contact form and not showing any security error, but to use SSL for Contact us page can not affect any thing on your web site not even web site speed, In fact it will just work same as other pages do. You should also try to scan it with other Vulnerability scanning software to clear the doubt that only McAfee showing such type of error or others also act like the same.
Now McAfee says it’s vulnerable. It doesn’t appear to be related to a form. It’s so when people “Like” a product it will create a link straight to that product page and not just to the home page.