Open Forms Prefill Data Validation Bypass Vulnerability

A vulnerability exists in Open Forms versions prior to 3.2.7 and 3.3.3, as well as in the 3.1.x and 3.0.x series, and likely in earlier versions. The issue arises when form fields are dynamically set to readonly or disabled based on certain conditions. In these cases, the expected validation to prevent data tampering does not occur, allowing users to modify prefilled data they should not have access to. This bypass can be exploited using tools like Postman or cURL.

Impact

Exploitation of this vulnerability allows for unauthorized modification of prefilled data in forms, bypassing the intended read-only restrictions.

Reproduction

To reproduce this vulnerability, create a form that uses the prefill feature to populate data into fields. Then, apply form logic to dynamically set these fields as readonly or disabled. During the final input validation, the logic-based readonly setting will not be recognized, leaving the fields vulnerable to modification. This can be done through the Open Forms admin interface by adding a 'select box' component, marking it as 'read-only' via logic, and then using a prefill plugin to populate the field. The vulnerability can be exploited by sending a submission that includes the modified data, effectively bypassing the read-only restriction.

Remediation

Users can upgrade to Open Forms versions 3.2.7 or 3.3.3, where this vulnerability has been patched. If an immediate upgrade is not possible, the form logic can be inverted by initially marking the field as read-only and then using logic to make it editable if no prefill data is available.