You are viewing limited content. For full access, please sign in.

Question

Question

Form Attachment to a Network Location

Forms Version 10 Security Ideas
Updated February 21, 2022
asked on October 8, 2021 Show version history

Hello,

I have a question/concern.

We are isolating attachments from the forms database into a network location so that an antivirus can scan the files. However, I just notice that the file arrives at the network location as soon as you attach the file in the form (not after submitting).

Is there a way to go around this?

This opens a vulnerability to users with forms exposed to the public since you can (or a bot) attach a document then remove the attachment and reattach it and repeat this process until you overflow the network location/server without having to do the reCAPTCHA.

I have setup this to only accept 1 attachment at a time and with 20 MB for now.

I do not know if there is something that can be made with JS/CSS to remove the attachment element from the DOM completely after the upload.

Please let me know if there is a configuration that I am missing.

1 0

Replies

replied on October 9, 2021

The security hotfix we have released is to address theft-of-service vulnerability that the uploaded files are downloadable for public so malicious users will take advantage of it to host files in the Forms system for file sharing. 

When user upload a file, the file will be sent to the database or file system immediately, it was designed like this as sending the files to the server will take long time with large files so they are uploaded to the server prior to the form submit action. 

If the file is uploaded then deleted, it will not be deleted from the backend until the form is submitted. We will enhance this behavior by deleting the file immediately when user deletes the file on the form to reduce the chance of malicious users overflow the network location/server. 

We will also evaluate other solutions such as limit the number of files uploaded from some IP address or support  reCAPTCHA when upload file.  We will keep you updated with our final solution. 

2 0
replied on October 21, 2021

Here is the update for the security fixes related to the storage: besides delete the file immediately when user delete the new uploaded files on the form, we also have following improvements to prevent the storage being overflowed:

1. Set file upload limit for new file upload field to 10 by default

2. Enforce the file upload limit check from backend when upload file

3. Support auto clean up the files not link to any submission(unreferenced files) regularly in Data Maintenance module. 

 

0 0
replied on February 21, 2022

The file will be deleted from storage when the user delete it from the form with Forms 11 Update 2 and the improvements I listed above are also available with Forms 11 Update 2(https://support.laserfiche.com/kb/1014352/list-of-changes-for-laserfiche-forms-11-update-2)

1 0
replied on October 8, 2021

I noticed the same behavior and it actually behaves the same with database storage (i.e., as soon as you upload the attachment it goes into the db even if you don't submit).

I brought this to Laserfiche's attention a few months ago. So far I'm not aware of any "fix" for the storage but they released a security hotfix for a different exploit that seems related to this behavior.

As far as I know the hotfix doesn't change the storage behavior, but they did provide a cleanup tool.

Laserfiche Forms Portal File Upload Vulnerability. - Knowledge Base

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...