J&B Firearm Sales
Oregon's Indoor Shooting Range
Bear Creek Arsenal
Bi-Mart
HighLine Firearms
Southwest Firearms Forum
Sporting Systems
JavaScript is disabled
Our website requires JavaScript to function properly. For a better experience, please enable JavaScript in your browser settings before proceeding.

  • Join the #1 community for gun owners of the Northwest

    We believe the 2nd Amendment is best defended through grass-roots organization, education, and advocacy centered around individual gun owners. It is our mission to encourage, organize, and support these efforts throughout Oregon, Washington, Idaho, Montana, and Wyoming.

    Free Membership Benefits

    • Fewer banner ads
    • Buy, sell, and trade in our classified section
    • Discuss firearms and all aspects of firearm ownership
    • Join others in organizing against anti-gun legislation
    • Find nearby gun shops, ranges, training, and other resources
    • Discover free outdoor shooting areas
    • Stay up to date on firearm-related events
    • Share photos and video with other members
    • ...and much more!

Eforms users banned ? Anyone confirm?

CamoDeafie said:
www.ammoland.com

ATF eForms Users Banned After Simple Security Flaw Is Exploited

ATF eForms users have reportedly been banned after exploiting a vulnerability, as a flood of NFA applications add new strain to the system.
www.ammoland.com www.ammoland.com

Supposedly there's a "security flaw" in the eForms portal relating to the drop down menu for "reasons" for applying for registration of NFA items
Click to expand...
Ok, so this, as written, was not a "security exploit." It was a "form submission oversight" and was the wrong way to "lock down" a free-form text field.

What would have been an exploit would be if that free-form text field allowed the injection of malicious Java or SQL code due to lack of input sanitization and validation. That would have allowed an attacker to run code of their choice on the server, potentially opening up other exploits and allowing for the hostile takeover of the whole system.

But in this case the ATF still allowed free-form text submissions to that field, they just made it so you had to implement those submissions yourself as the form only allowed for one pre-filled option. The system was still working as designed, and I would submit this is a legal and authorized workaround as per the design of the form itself. Code, like laws, is not subject to intent, it is only subject to as written. If you make a free-form field publically accessible (even if it is only through publically available browser tools) then you should expect the public to fill those fields as they intend to, not as you intend them to.

If you do not intend them to fill those fields out as they see fit you should not make them a free-form text field, you should make it a binary option; "for all legal purposes" <yes/no>.
 
SanitizeYourDatabase.jpg
 
lucusloc said:
If you do not intend them to fill those fields out as they see fit you should not make them a free-form text field, you should make it a binary option; "for all legal purposes" <yes/no>.
Click to expand...
A friend of mine put "To Exercise My God Given Rights" ATF denied it, admitted it was a valid reason after being contacted by GOA, then told him to resubmit with a different reason after saying that was a valid reason, and now there are lawyers involved
 
VinnieBoomBah said:
A friend of mine put "To Exercise My God Given Rights" ATF denied it, admitted it was a valid reason after being contacted by GOA, then told him to resubmit with a different reason after saying that was a valid reason, and now there are lawyers involved
Click to expand...
"For instance, one member of Gun Owners of America (GOA) reportedly entered that they sought the item to "exercise God-given rights". The ATF examiner reviewing the application rejected it on the basis of this wording, deeming it unacceptable.

When GOA highlighted this denial on the social media platform X (formerly Twitter), it quickly gained traction"

From the linked article, was this the same friend?
 
CamoDeafie said:
"For instance, one member of Gun Owners of America (GOA) reportedly entered that they sought the item to "exercise God-given rights". The ATF examiner reviewing the application rejected it on the basis of this wording, deeming it unacceptable.

When GOA highlighted this denial on the social media platform X (formerly Twitter), it quickly gained traction"

From the linked article, was this the same friend?
Click to expand...
I believe so, yes
 
VinnieBoomBah said:
A friend of mine put "To Exercise My God Given Rights" ATF denied it, admitted it was a valid reason after being contacted by GOA, then told him to resubmit with a different reason after saying that was a valid reason, and now there are lawyers involved
Click to expand...
Yep, this whole thing is just a way for the ATF to play the "we were wrong; we did nothing wrong" game. IMHO the only way they "win" that game is to remove the field entirely, and tacitly admit we don't need a reason. This whole game with one-option drop-downs or even hypothetical "check agree" options as to reasons is really trying to shove words into peoples mouths when you think about what the question actually is. They can either argue that they need a valid reason to approve the form, and then fight about that in court when someone disagrees with a denial, or they can drop the requirement entirely.
 
The reason, much like the old CLEO sign off were just ways to keep 'undesirables' (read that as minorities and poor people) from getting to play with rich people toys.

I know a bit more about the lawsuit and it has all the hallmarks of the brace thing that just happened, as in:
They lost the cases losing the right to limit what you could use as a reason so somehow that means they won the right to limit what you could use as a reason
 
lucusloc said:
Ok, so this, as written, was not a "security exploit." It was a "form submission oversight" and was the wrong way to "lock down" a free-form text field.

What would have been an exploit would be if that free-form text field allowed the injection of malicious Java or SQL code due to lack of input sanitization and validation. That would have allowed an attacker to run code of their choice on the server, potentially opening up other exploits and allowing for the hostile takeover of the whole system.

But in this case the ATF still allowed free-form text submissions to that field, they just made it so you had to implement those submissions yourself as the form only allowed for one pre-filled option. The system was still working as designed, and I would submit this is a legal and authorized workaround as per the design of the form itself. Code, like laws, is not subject to intent, it is only subject to as written. If you make a free-form field publically accessible (even if it is only through publically available browser tools) then you should expect the public to fill those fields as they intend to, not as you intend them to.

If you do not intend them to fill those fields out as they see fit you should not make them a free-form text field, you should make it a binary option; "for all legal purposes" <yes/no>.
Click to expand...
Web dev 101.

Amateur hour for those web devs (and QA/test) that don't know/plan/implement/test for this.

And, BTW, it is multi-level; don't assume that the web-form did the sanitization of the input; the field should test this, the URL (where the input is often passed to the service) should be tested for this, the web services should also sanitize their input data, as should all logic down the line - all the way to the DB/etc.

That is how pros do it, insist be done and the s/w test team AND unit tests ensure (not assume) it has been done (if you don't test/measure, you don't know).

Sadly, a lot of orgs skimp on such basic best practices. Some even resist doing it as "unnecessary". Idiots - lazy idiots.
 
Log in or sign up to reply here

Similar threads

Nwcid
Eforms website
Replies
6
Views
321
Nwcid
Cavedweller
Trump Admin. challenges magazine bans
Replies
17
Views
663
PiratePast40
beautifulor
Pre-ban Colt Sporter Lightweight 7.62x39mm
    1. For Sale
  • $1299
  • Junction City
  • Oregon
Replies
4
Views
357
beautifulor
BVB
Anyone recognize these?
2
Replies
27
Views
600
BVB
Cavedweller
Asst. AG predicts AR-15 bans will die in USSC
Replies
10
Views
438
Stomper
Southwest Firearms Forum
Cerberus Training Group
Bear Creek Arsenal
Midway USA
Collectors West Gun Shows
Sporting Systems
Bi-Mart
Optics Planet
Oregon's Indoor Shooting Range
Brownells
Sidebar Menu

New Posts

Upcoming Events

The Heretic
Central Wyoming Machine Gun And Cannon Shoot
  • Laramie, WY
R
Ladies only beginning trap shooting
  • Albany, OR
coltemp
Classic Sportsman Gun & Knife Show
  • Monroe, WA

New Resource Reviews

New Classified Ads

Support Our Community

If our Supporting Vendors don't have what you're looking for, use these links before making a purchase and we will receive a small percentage of the sale
Amazon
Brownells
Cabela's
Chewy
eBay
Midway USA
Optics Planet
Palmetto State Armory
Primary Arms
Sportsman's Guide
Sportsman's Warehouse
Walmart
Back Top