Question

firewall blocking submitting Laserfiche Forms considered as SQL Injection

Forms Laserfiche Version 10 Security

Updated December 12, 2020

asked on December 10, 2020

HI all

We are having Laserfiche Forms Professional Version 10.4.2.381 , Newly implemented and in production , everything is seems to be fine, but when users type word similar to SQL Commands such as Order by on single line or multiline field our firewall blocks as considering SQL Injection . How can I change the filed values to string using CSS or JAVA Script .

0 0

Answer

SELECTED ANSWER

replied on December 10, 2020

As a follow up, whenever you use a firewall/IPS with rules that look for and block suspected SQL injection, XSS, etc., you should expect to do some tuning on a per-application basis to address false positives.

I recommend working with your network security team (or whoever owns the firewall) to adjust the filtering rules for Laserfiche traffic so it doesn't identify legitimate Forms data as a SQL injection. In your case it sounds like it might only be a few keywords like "Order by" that are tripping it.

1 0

Replies

replied on December 10, 2020

If you change the value of the field, how will it still do what the user wants? It sounds like you need to make your firewall less paranoid.

2 0

SELECTED ANSWER

replied on December 10, 2020

1 0

replied on December 12, 2020

I will co ordinate with Network security team to verify for the false positive ,

0 0

You are not allowed to follow up in this post.

Question

Question

firewall blocking submitting Laserfiche Forms considered as SQL Injection

Answer

Replies

Sign in to reply to this post.