Website Form Submissions Readable By Anyone
While working with a prospective client -- let's call them the XYZ company -- we examined the "Contact Us" form on XYZ's website. Using this form, people interested in XYZ's services would submit their contact information and XYZ salespeople would then follow up.
This contact form looked like:
Naturally, we wondered what happened when the "Submit" button was clicked. How was the information in the form processed? An easy way to find out is to bring up the form's source code and search for the text <form, which denotes the start of the form. We did just that and found the following code fragment in the form:
<!--webbot bot="SaveResults" U-File="_private/form_res.txt"
The "webbot" text indicates that the Web server is running Microsoft's FrontPage extensions. A quick check of the documentation for these extensions tells us that the SaveResults extension saves the form results into a file on the Web server. Looking at the arguments included with the SaveResults extension call above, we see that the file is named form_res.txt and is located in the _private folder on the Web server.
Naturally, we wondered if this file is accessible to the "general public." How can we find out? Simple. Append the folder & file name to the site's domain name to form the complete URL to the file. If the domain name for XYZ was www.xyzcompany.com, the URL to the form results file would be
www.xyzcompany.com/_private/form_res.txt
We typed that link into a Web browser and -- oops -- up came the detailed contact information for anyone who had ever submitted an information request to XYZ! So, the _private folder really isn't private after all!
What's wrong with this? Well, it may be obvious, but let's state two main reasons:
How can this problem be fixed? The appropriate permissions can be set on the form_res.txt file so that the general public can't access the file. Another solution involves replacing the SaveResults extension with a "more secure" way of transmitting and saving the form submissions.