560707 - Input Validation Missing for Shirt Size Selection

Status: RESOLVED FIXED

(Websites Graveyard :: drumbeat.org, defect)

Description

[Michael Coates [:mcoates] (acct no longer active)]

Issue

The shirt size dropdown box at the drumbeat donations page does not appear to be validated by the server.  An attacker can use a proxy tools such as WebScarab or tamperdata to modify the value selected in the dropdown box to an arbitrary value. Unintended or malicious actions could occur depending on how this value is processed by the server.

Steps to reproduce:
1. Browse to:
http://donate.trellon.org/dbl/civicrm/contribute/transact?reset=1&id=1&reset=1&id=1
2. Enter a donation value of $200
3. Select the t-shirt and any value from the dropdown
4. Configure TamperData to intercept
5. Click Continue
6. Within TamperData modify the t-shirt size from "Men's L" to "testData123" and submit the modified packet
7. Observe that the submitted data is accepted without any errors.


Recommended Remediation

Perform input validation on the server to ensure that the t-shirt size selected is a valid option from a predefined list.

Comment 1

[Michael Priest]

Interesting. This should be reported to CiviCRM if this is the case. I'll dig into the code tomorrow and find out what's happening. Cheers.

Comment 2

[Martin Hrabovcin]

There is same problem with "I want to contribute this amount every" dropdown.

Comment 3

[Matt Thompson]

Mike Priest: update?

Comment 4

[Martin Hrabovcin]

For both dropdown boxes (tshirt, contribution period) has been added additional validation which checks submited value.

Comment 5

[Michael Coates [:mcoates] (acct no longer active)]

I've confirmed that both fixed are working properly in http://donate.trellon.org. Moving to resolved: fixed.