Form data displayed to other users

Today I experienced a behaviour I'm at a loss to recreate or explain. Website running Joomla 3.8.0 and Contact Enhanced 3.6.5 on PHP 5.6.31.

• Client's customer called to say the contact form isn't working
• Client visits website contact page to investigate and finds the fields populated with the customer's data
• Client calls me and I experience the same, the original customer's data is displayed on the contact form

I'm unsure how to investigate this, two unconnected computers being shown a third user's data.

If relevant the site uses PHP sessions, not the database ($session_handler = 'none') and shared sessions are disabled ($shared_session = '0'. Contact Enhanced is set to store successful form submissions in the database.

The site was recently migrated to a different web server running different OS and version of PHP. The original server is not known to have exhibited this behaviour.

Can anyone suggest what might be causing the issue or how I can investigate further?

Thanks,

Chris

Update - instructions request server OS be noted, the new server runs IIS 8.5 on Windows 2012 R2.

Dear Chris,

Contact Enhanced 3.6.5 is not compatible with Joomla 3.8. You'll need to upgrade to CE 3.7 or newer.

There's no subscription linked to your account. Can you please contact us from the user account used to purchase the subscription?

Best regards,

I will purchase a license for the current version of CE. The original license was purchased by a developer who is no longer involved.

It would still be valuable to understand how customer data was exposed publicly through the contact form. Current configuration uses javascript validation, so as far as I can tell data entered does not reach the server until it passes validation at which point it can be fully processed. There is no need to store the data and return to browser, especially not an unconnected browser.

Are you able to

1. Explain exactly how this situation came about (fair enough 3.6.5 is not compatible with 3.8.0 but how did that lead to private data being exposed?)
2. [Confirm it cannot recur on the latest version of CE with Joomla 3.8.0

Thanks,

Chris

Dear Cris,

This should never have happened.

I would need administrator access to your site in order find out, however I assume you are loading the contact for via Content plugin and your website is using another caching system other than Joomla. If that's not the case you might be using Joomla's Progressive caching settings. These are just assumptions.

If the problem continues after the upgrade, let me know and I'll continue to investigate this issue and will fix it.

Best regards,

I'll update to CE 3.7.2 and advise if further help is required.

Website uses Joomla's own caching system.

Hi Douglas,

I can now reproduce the issue reliably and would appreciate your help to resolve.

Environment
- Jomla 3.8.0
- Contact Enhanced 3.7.2
- Windows Server 2012 R2
- PHP 5.6.31

Issue
- First use of Contact Enhanced form to upload files is successful
- Successive attempts to attach files to the form fail

Notes
- Successive attempts to attach files to the form fail but produce a successful 200 OK POST request to /index.php?option=com_contactenhanced&task=jsonExecuteCF&cf=6
- Clearing the Joomla cache, specifically the cache group for com_azurapagebuilder allows a single successful form submission
- The issue does not present when oomla caching is disabled via $caching = '0' in configuration.php
- The configurations specifies $cache_handler = 'file', my other option is wincache but I've not tested

Can you suggest where the source of the issue might lie? Obviously I could disable caching and move on but that is not a solution.

I suspect azurapagebuilder may be to blame and that's not your responsibility however as you're familiar with Joomla any advice would be much appreciated.

Dear Cris,

Thanks for purchasing a subscription.

Contact Enhanced Content Plugin doesn't use caching, however Azura Page Builder might be caching CE plugin output.

I'm not familiar with Azura Page Builder. Can you please ask its developer whether you can disable caching for specific pages?

If there's no such feature in Azura, then you basically have two options:
1- Use Joomla content article instead of Azura for this page;
2- Wait a couple of days and I'll create an optional feature which will clean Joomla caching when a form is submitted.

Best regards,

Hi Douglas,

I'm unable to get support from Azura Page Builder developer as it is licensed to the previous developer rather than my client's domain.

It definitely writes files to /cache when $caching is enabled in Joomla's configuration.php. The content appears to be the fully rendered contact page including the CE form. Unsure why file's fail to upload, presumably CE performs validation and aborts on finding a previously submitted form ID. It fails silently thoughn no error displayed or logged that I can see.

I tested changing $cache_handler from file to wincache but behaviour is the same.

I see discussion about page level cache exclusion and System Page Cache is availale to install at Extensions > Plugins: System - Page Cache but am conused about what this is for or how to use it github.com/joomla/joomla-cms/pull/7767

If you could add option for CE to clear Joomla cache on form submission that would be very helpful, thank you. Even better if it could target directory /cache/com_azurapagebuilder so as not to clear other parts of the cache that are still valid. Better still if it could be merged with the main branch of CE so it's available to others and into the future.

Very much appreciate your help.

Chris

Dear Cris,

If the Azura pages are being cached entirely including the plugins, the feature I'm planning will fix the issue with the user data being cached, but the problem with the Ajax multiple files upload, because it requires a "fresh" security token to work. What you can do is disable the Ajax file upload feature in the Multiple File Upload form field options. This will result in a regular upload button.

Let me know if this works.

Best wishes.