Simfatic Forms > Save and Continue Security Update

Save and Continue Security Update

The Save And Continue feature allows the user to press a save button and return to the form on a later date.
This feature is intended for long forms where the user may have to take a break or collect data from multiple sources. The Save button can be added in the Draw the form page -> Pages and sections -> Widgets -> Save button menu item.

Save Button Form

While filling up the form, the user can press the Save button. Simfatic Forms Script will save the data temporarily to the database and give the user a link to continue editing later.

Message after Save

The user is given unique URL (link) with a parameter. The parameter denotes the specific data the user had saved.

When the user visits the link later, the form would load the earlier data and the user can make corrections and do a final submission.

When the user completes the form submission, the previously saved data is deleted and the form processing steps are started (sending the email, saving the complete form submission etc)

"Save and Continue" feature is available in Simfatic Forms 5 Ultimate edition only (The Standard and Professional version of Simfatic Forms 5 does not have this feature).

Save and Continue feature was available in Simfatic Forms 4 Professional version.

The Security Concern

The script uses a unique form ID (an ID unique to each form) to generate the URL parameter(The "rd" parameter in the URL).

When you make copies of the same form and deploy the form on different domains or folders, the forms will have the same form ID. So the URL generated for each save can have the same rd parameter.

This can lead to a situation where a user can create multiple form submissions and create a sequence of rd parameters. Then the user can try guessing other forms on your website (which are copies of the first form) and try the rd parameter on those forms continuously until he gets to retrieve form data temporarily saved by another user.

Note that this happens only when you upload copies of the same form on multiple locations. In other cases where you have completely different forms on your website, it does not happen.

Where this concern is not applicable

This security concern is applicable only

  • if you have forms that use the "Save and Continue" button.
  • you have created multiple copies of the same form, and the forms have "Save and Continue" button.

This security concern is not applicable if you have Simfatic Forms 5 Standard or Simfatic Forms 5 Professional edition since the feature itself does not exist in those editions.

The Update/Fix

The Simfatic Forms update below generates a unique ID for each installation of the form ( in addition to the Form ID ) . Save and Continue uses the new random ID as the base for generating the rd parameter each time. This makes the parameter unique.

  • Download & install the updated version of Simfatic Forms from the links below
  • Download only one version of Simfatic Forms (Simfatic forms 4 or Simfatic Forms 5 depending on what version you currently have)
  • Open your existing forms that have Save and Continue feature. Re-upload the form.

Other Recommendations

"Save and Continue" feature was meant only as a "convenience" feature.

It is not recommended to use "Save and Continue" feature if you are collecting sensitive Customer data. Please refer to your local/international laws what data is defined as "sensitive".

Simfatic Forms should not be used to collect "very sensitive" customer data, like Credit Card Number. (Whether the form uses "Save and Continue" feature or not)
For payment processing, you can use Simfatic Forms Paypal integration.

The "Save and Continue" feature will be deprecated and removed in stages in the upcoming releases of Simfatic Forms. So it is recommended not to use this feature in your new forms. You may also remove the feature in stages from your existing forms.

Downloads

Credits

Thanks a lot to Tom Usher of PropertyPak® for reporting this issue and collaborating on this security-disclosure post, among other things.