$value['id'] is not validated against invalid characters

[damac23]

Bug Report

Q	A
Version(s)	2.9.0 + 2.10.0

Summary

We've seen a rising in error messages of this kind: Laminas\Session\Exception\InvalidArgumentException /PROJECT/src/vendor/laminas/laminas-session/src/AbstractContainer.php Name passed to container is invalid; must consist of alphanumerics, backslashes and underscores only

They all occur on our different contact forms.

Current behavior

If a malicious user modifies the value of the hidden form field "captcha[id]" it will result in a InvalidArgumentException:

Laminas\Session\Exception\InvalidArgumentException /PROJECT/vendor/laminas/laminas-session/src/AbstractContainer.php Name passed to container is invalid; must consist of alphanumerics, backslashes and underscores only 0 /PROJECT/vendor/laminas/laminas-captcha/src/AbstractWord.php(260): Laminas\Session\AbstractContainer->__construct() 1 /PROJECT/vendor/laminas/laminas-captcha/src/AbstractWord.php(289): Laminas\Captcha\AbstractWord->getSession() 2 /PROJECT/vendor/laminas/laminas-captcha/src/AbstractWord.php(402): Laminas\Captcha\AbstractWord->getWord() 3 /PROJECT/vendor/laminas/laminas-validator/src/ValidatorChain.php(245): Laminas\Captcha\AbstractWord->isValid() 4 /PROJECT/vendor/laminas/laminas-inputfilter/src/Input.php(433): Laminas\Validator\ValidatorChain->isValid() 5 /PROJECT/vendor/laminas/laminas-inputfilter/src/BaseInputFilter.php(274): Laminas\InputFilter\Input->isValid() 6 /PROJECT/vendor/laminas/laminas-inputfilter/src/BaseInputFilter.php(228): Laminas\InputFilter\BaseInputFilter->validateInputs() 7 /PROJECT/vendor/laminas/laminas-form/src/Form.php(531): Laminas\InputFilter\BaseInputFilter->isValid() 8 /PROJECT/module/Frontend/src/Controller/IndexController.php(210): Laminas\Form\Form->isValid()

How to reproduce

Create a form and add the Captcha::class. Options along those lines: 'captcha' => [ 'class' => 'Image', 'font' => '/usr/share/fonts/truetype/lato/Lato-Bold.ttf', 'ImgDir' => './public/frontend/captcha/', 'ImgUrl' => '/captcha/', 'wordLen' => 5, 'DotNoiseLevel' => 5, 'LineNoiseLevel' => 3, ],

In your Browser-Inspector modify the captcha[id]-Value by replacing one character with a special character like "[" and then submit the form.

Expected behavior

If attacker modifies the value for captcha[id] it should simply be rejected.

The solution should be pretty simple in laminas-captcha/src/AbstractWord.php: line 396 to 399 validates only against existence: if (! isset($value['id'])) {

And something like that would validate against the correct values (same regex as in laminas-session/src/AbstractContainer.php): if (! preg_match('/^[a-z0-9][a-z0-9_\\\\]+$/i', value['id'])) { $this->error(self::MISSING_ID); return false; }

[mkrasselt1]

still open and active bug, at least - stopps hacker from sending actual emails...(but floods mails logs) i even noticed that its's possible to reuse a captcha multiple times until the expiration time is expired - thats a seperate bug....