PLEASE NOTE: These forums are no longer utilized and are provided as an archive for informational purposes only. All support issues will be handled via email using our support ticket system. For more detailed information on this change, please see this blog post.

PCI Vulnerability Scanners Auto-Filling / Submitting Forms

  1. This has been discussed a couple times throughout the forum and there's never been a clear answer.

    Some PCI vulnerability scanners can populate and submit forms even when phone number and email fields exist that error out on web-based submissions. Somehow these scanners, which scan for vulnerabilities in many things such as web based forms, are able to submit these forms without triggering the errors. This essentially confirms that there's a vulnerability because the form is able to be submitted without meeting the necessary requirements.

    As many have mentioned the forms are typically submitted on average of 8 times per day, per form, and are filled with 0's. The IP addresses do confirm that the forms are being filled by the scanners. This appears to happen on both encrypted and non-encrypted pages as well as on stock WP and custom themed / with addons.

    Installation Status
    PHP Version 5.3.3
    MySQL Version 5.1.67
    WordPress Version 3.5.1
    Gravity Forms Version 1.6.12

    Posted 11 years ago on Tuesday February 12, 2013 | Permalink
  2. I'll ask the development team about this one.

    For reference, related:
    http://www.gravityhelp.com/forums/topic/form-fields-are-populated-with-0s-zero

    Posted 11 years ago on Wednesday February 13, 2013 | Permalink
  3. I am tracking down this issue.

    Any chance you could take a look at your web server logs and find that exact request (form submission) made by the PCI vulnerability scanner. I need to replicate this issue locally and getting a hands on that request would be very helpful.

    Posted 11 years ago on Wednesday February 13, 2013 | Permalink