Weird Security issue considering custom build form module

[1994_peter]

Dear Fellow joomla devs,

Recently, a customer called that her information that she left in a applicant form was visible on another persons device, since . They were not registered, so both users were 'guests'.

The scenario was as follows:

1. User a (macOS) fills in a contact form (custom made)
2. User a submits form
3. User b (Windows) goes to same page
3. User b sees form with data of user A <---- security isssue

This cost my client a potential working candidate.

I cannot seem to reproduce the problem.

Does anyone know how this might have happened and how to prevent it???
My guess is that it has something to do with how Joomla caches content.. but I thought it didnt store formdata (especially not for guests)

Below is the current fpa..
I have updated after this happend to 3.8.4 and turned caching off (was on progressive).

Security Issue with custom build form

Joomla! Instance :: Joomla! 3.8.4-Stable (Amani) 30-January-2018
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: /gid: ) | Group: --protected-- (gid: ) | Valid For: 3.8
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 2 | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: 0 | FTP Layer: 0 | Proxy: 0 | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: 0 | SSL: 0 | FrontEdit: 0 | Error Reporting: simple | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | dbConnection Type: mysqli | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-896.16.1.lve1.4.49.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate, br | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 40.20 GiB |

PHP Configuration :: Version: 7.0.27 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 32767 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 32M | Max. POST Size: 32M | Max. Input Time: 40 | Max. Execution Time: 30 | Memory Limit: 512M

MySQL Configuration :: Version: 5.5.58-0ubuntu0.14.04.1 (Client:5.5.33) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 24.05 MiB | #of Tables:  94

PHP Extensions :: Core (7.0.27) | date (7.0.27) | libxml (7.0.27) | openssl (7.0.27) | pcre (7.0.27) | sqlite3 (7.0.27) | zlib (7.0.27) | bz2 (7.0.27) | calendar (7.0.27) | ctype (7.0.27) | curl (7.0.27) | hash (1.0) | filter (7.0.27) | ftp (7.0.27) | gettext (7.0.27) | gmp (7.0.27) | SPL (7.0.27) | iconv (7.0.27) | pcntl (7.0.27) | readline (7.0.27) | Reflection (7.0.27) | session (7.0.27) | standard (7.0.27) | shmop (7.0.27) | SimpleXML (7.0.27) | mbstring (7.0.27) | tokenizer (7.0.27) | xml (7.0.27) | cgi-fcgi () | dom (20031129) | fileinfo (1.0.5) | gd (7.0.27) | imap (7.0.27) | intl (1.1.0) | json (1.4.0) | exif (7.0.27) | mcrypt (7.0.27) | mysqli (7.0.27) | PDO (7.0.27) | pdo_dblib (7.0.27) | pdo_mysql (7.0.27) | pdo_sqlite (7.0.27) | Phar (2.0.2) | soap (7.0.27) | sockets (7.0.27) | wddx (7.0.27) | xmlreader (7.0.27) | xmlrpc (7.0.27) | xmlwriter (7.0.27) | xsl (7.0.27) | zip (1.13.5) | Zend Engine (3.0.0) |
Potential Missing Extensions :: mysql | suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |

Elevated Permissions (First 10) :: components/com_k2/ (775) | components/com_vacancy/ (775) | components/com_vacancy/assets/ (775) | components/com_vacancy/assets/css/ (775) | components/com_vacancy/views/ (775) | components/com_vacancy/views/vacancy/ (775) | components/com_vacancy/views/vacancy/tmpl/ (775) | tmp/package/ (775) | upload/ (775) | usage/ (775) |

Database statistics :: Uptime: 6522631 | Threads: 2 | Questions: 1554078789 | Slow queries: 1144 | Opens: 4999021 | Flush tables: 33151 | Open tables: 2522 | Queries per second avg: 238.259 |

Components :: SITE :: com_wrapper (3.0.0) 1 | com_mailto (3.0.0) 1 | WF_AGGREGATOR_DAILYMOTION_TITL (2.6.19) 1 | WF_AGGREGATOR_VIMEO_TITLE (2.6.19) 1 | WF_AGGREGATOR_[youtube]_TITLE (2.6.19) 1 | WF_AGGREGATOR_VINE_TITLE (2.6.19) 1 | WF_LINKS_JOOMLALINKS_TITLE (2.6.19) 1 | WF_FILESYSTEM_JOOMLA_TITLE (2.6.19) 1 | WF_LINK_SEARCH_TITLE (2.6.19) 1 | WF_POPUPS_JCEMEDIABOX_TITLE (2.6.19) 1 | WF_POPUPS_WINDOW_TITLE (2.6.19) 1 | WF_STYLESELECT_TITLE (2.6.19) 1 | WF_AUTOSAVE_TITLE (2.6.19) 1 | WF_SOURCE_TITLE (2.6.19) 1 | WF_LAYER_TITLE (2.6.19) 1 | WF_PRINT_TITLE (2.6.19) 1 | WF_FULLSCREEN_TITLE (2.6.19) 1 | WF_FONTCOLOR_TITLE (2.6.19) 1 | WF_FONTSELECT_TITLE (2.6.19) 1 | WF_ANCHOR_TITLE (2.6.19) 1 | WF_ARTICLE_TITLE (2.6.19) 1 | WF_TEXTCASE_TITLE (2.6.19) 1 | WF_EMOTIONS_TITLE (2.6.19) 1 | WF_CLIPBOARD_TITLE (2.6.19) 1 | WF_STYLE_TITLE (2.6.19) 1 | WF_MEDIA_TITLE (2.6.19) 1 | WF_VISUALBLOCKS_TITLE (2.6.19) 1 | WF_KITCHENSINK_TITLE (2.6.19) 1 | WF_FORMATSELECT_TITLE (2.6.19) 1 | WF_XHTMLXTRAS_TITLE (2.6.19) 1 | WF_IMGMANAGER_TITLE (2.6.19) 1 | WF_NONBREAKING_TITLE (2.6.19) 1 | WF_DIRECTIONALITY_TITLE (2.6.19) 1 | WF_FONTSIZESELECT_TITLE (2.6.19) 1 | WF_LINK_TITLE (2.6.19) 1 | WF_CHARMAP_TITLE (2.6.19) 1 | WF_TABLE_TITLE (2.6.19) 1 | WF_BROWSER_TITLE (2.6.19) 1 | WF_CLEANUP_TITLE (2.6.19) 1 | WF_LISTS_TITLE (2.6.19) 1 | WF_CONTEXTMENU_TITLE (2.6.19) 1 | WF_INLINEPOPUPS_TITLE (2.6.19) 1 | WF_SEARCHREPLACE_TITLE (2.6.19) 1 | WF_SPELLCHECKER_TITLE (2.6.19) 1 | WF_PREVIEW_TITLE (2.6.19) 1 | WF_VISUALCHARS_TITLE (2.6.19) 1 | WF_HR_TITLE (2.6.19) 1 |
Components :: ADMIN :: com_categories (3.0.0) 1 | com_fields (3.7.0) 1 | com_finder (3.0.0) 1 | com_media (3.0.0) 1 | spambotcheck (1.0.1) 1 | com_config (3.0.0) 1 | com_search (3.0.0) 1 | COM_JCE (2.6.19) 1 | COM_EASYJOOMLABACKUP (3.2.4) 1 | JCH Optimize (5.2.2) 1 | com_associations (3.7.0) 1 | com_contenthistory (3.2.0) 1 | COM_VACANCY (0.1.1) 1 | com_ajax (3.2.0) 1 | com_checkin (3.0.0) 1 | com_installer (3.0.0) 1 | com_admin (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_modules (3.0.0) 1 | COM_TEAM (1.0.8) 1 | com_redirect (3.0.0) 1 | com_banners (3.0.0) 1 | com_cache (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_content (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | COM_K2 (2.8.0) 1 | mod_k2_comments (-) 1 | mod_k2_comments (-) 1 | com_users (3.0.0) 1 | Blank Component (3.0.0) 1 | com_cpanel (3.0.0) 1 | COM_PROJECT (0.0.15) 1 | com_templates (3.0.0) 1 | COM_JANTIVIRUS (5.3) 1 | com_messages (3.0.0) 1 | com_languages (3.0.0) 1 | com_menus (3.0.0) 1 | com_login (3.0.0) 1 | com_plugins (3.0.0) 1 | com_tags (3.1.0) 1 |

Modules :: SITE :: mod_articles_news (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | FavPromote (1.7) 1 | mod_tags_similar (3.1.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | FavSlider Responsive Slideshow (1.7) 1 | mod_whosonline (3.0.0) 1 | FavSocial (1.5) 1 | mod_random_image (3.0.0) 1 | BT Login (2.6.4) 1 | mod_banners (3.0.0) 1 | K2 Tools (2.8.0) 1 | FavGlyph (1.4) 1 | mod_users_latest (3.0.0) 1 | Services Overview (1.0.0) 1 | FavImageHover (1.8) 1 | Team display (1.0.0) 1 | mod_articles_latest (3.0.0) 1 | K2 Content (2.8.0) 1 | FavTeam (1.1) 1 | mod_syndicate (3.0.0) 1 | K2 Comments (2.8.0) 1 | Bizkniz Twitter Feed Display (1.0) 1 | mod_languages (3.5.0) 1 | mod_tags_popular (3.1.0) 1 | mod_finder (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | K2 Users (2.8.0) 1 | Image met caption (1.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_login (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_footer (3.0.0) 1 | BT Google Maps (2.0.12) 1 | mod_feed (3.0.0) 1 | MetaMod (3.26) 1 | MetaMod (3.26) 1 | Video Banner (1.0.0) 1 | mod_custom (3.0.0) 1 | mod_search (3.0.0) 1 | K2 User (2.8.0) 1 | Contact formulier (1.0.0) 1 | mod_menu (3.0.0) 1 | mod_stats (3.0.0) 1 |
Modules :: ADMIN :: mod_sampledata (3.8.0) 0 | K2 Quick Icons (admin) (2.8.0) 1 | mod_stats_admin (3.0.0) 1 | mod_jantivirus (2.5.0) 1 | K2 Stats (admin) (2.8.0) 1 | mod_latest (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_status (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_version (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_title (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_login (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_menu (3.0.0) 1 |


Templates :: ADMIN :: hathor (3.0.0) 1 | isis (1.0) 1 |

[ribo]

Your security issue can come from permissions of your folders that you have them 775. All folders inside the root folder must be 755, files 644 and configuration.php 444 . Also be sure that your extensions and template are up to date and not vulnerable.

[ribo]

Also i m not sure what happens to your custom form and if it is safe.

[sozzled]

I agree with @ribo. Sounds to me like the custom form extension is not honouring (or using) the session handler properly. I would contact the developer of the custom contact form extension to ask for their opinion.