MachForm - HTML Form Builder Online, PHP Form Creator v30.0 Nulled

Decryption key:

To view the content, you need to Sign In or Register.

MachForm - HTML Form Builder Online, PHP Form Creator v30.0 Nulled
= Changelog

• Security: Resolved a critical authentication bypass vulnerability (credit to Josh Cool).
• Security: Strengthened CSRF token validation across administrative endpoints.
• Security: Resolved Cross-Site Scripting (XSS) on Users / Entries page and Grid widget (credit to The Chinese University of Hong Kong – ITSC)
• Security: Updated Axios library to use version 1.15.0
• Bugfix: Accessibility issue (missing label) with “Other” field on Checkboxes/Multiple Choice
• Bugfix: Display issue with rating field on mobile devices
• Bugfix: Fixed incorrect “required” validation when a matrix field is being duplicated
• Bugfix: Errors on Stripe payment page when being embedded across different domain
• Bugfix: Uploaded files can’t be accessed on incomplete entries section
• Bugfix: Success page doesn’t display correctly after PayPal payment completed
• Bugfix: File upload counter not being calculated correctly when validation errors occur

Decryption key:

To view the content, you need to Sign In or Register.

MachForm - HTML Form Builder Online, PHP Form Creator v29.0 Nulled
= MachForm 29 Released. Security Update.

MachForm v29 is now available for download via your Account Area. This release addresses multiple security vulnerabilities identified in the previous version. We strongly recommend updating your installation immediately.

Security Patches​

• Stored Cross-Site Scripting (XSS): We have resolved a vulnerability in the form editor that allowed users with editing permissions to inject malicious JavaScript into the Media field.
• Open Redirect: We addressed an issue in the login logic where the from parameter was not properly validated, potentially allowing attackers to redirect users to malicious domains upon login.
• HTML Injection: A vulnerability in the user creation process has been fixed. Previously, insufficient validation allowed HTML code to be injected into notification emails, presenting a potential phishing vector.
• User Enumeration: We have standardized responses in the password reset feature to prevent attackers from determining which email addresses exist in the system.

Technical Disclosure​

Full technical details regarding these vulnerabilities will be published in the CVE database shortly. We will update this post with the corresponding CVE IDs as they become available.

Acknowledgments​

We appreciate the work of Jacopo Taccucci for his diligence and expertise in responsibly identifying and reporting these issues.

PHP & MySQL Version Requirements​

MachForm v29 requires the minimum version of PHP on your server to be at least PHP 8.1 and MySQL version at least MySQL 5.7. If you’re still using an older version, you’ll need to upgrade your PHP and/or MySQL version first.

Changelog​

• Security: Resolved a Stored Cross-Site Scripting (XSS) vulnerability within the form builder interface.
• Security: Patched an “Open Redirect” vulnerability in the authentication flow.
• Security: Fixed an HTML injection vulnerability affecting the user creation process.
• Security: Mitigated a User Enumeration vector on the password reset page.
• Security: Enhanced password policies by enforcing strong passwords and implementing a strength meter on the reset page.
• Security: Updated administrative workflows: Admins must now generate reset links rather than changing user passwords directly.
• Performance: Integrated the OpenSpout library to optimize memory usage when exporting large Excel datasets.
• Performance: Optimized the “Choice Limit” logic to eliminate processing delays on forms with a high volume of fields.
• Compatibility: Resolved code deprecation warnings to ensure full compatibility with PHP 8.5.
• Bugfix: Fixed an issue where Microsoft 365 refresh tokens failed to renew correctly after 90 days.

How to Update​

This update is provided at no cost for users with an active support contract. You can download the package from the Account Area.
Please follow the official upgrade guide here: Upgrading MachForm Self-Hosted

Decryption key:

To view the content, you need to Sign In or Register.

MachForm - HTML Form Builder Online, PHP Form Creator v27.0
= Changelog

• Feature: SSO (Single Sign-On) support for login authentication
• Feature: Added option to throttle file uploads per IP address per hour
• Security: Improved file uploads security against spam bots submissions
• Bugfix: Grid widget can’t use relative date format for filtering
• Bugfix: Importing form doesn’t include the approval status field
• Bugfix: Languages not loaded correctly in merge tags
• Bugfix: Missing “reply to” information when resending entry using confirmation email template
• Bugfix: Smart folder using conditions from “Created Date” or “Last Entry Date” caused query error
• Update: Added Ukrainian language and currency
• Update: Added approver name into {approval_note} merge tag
• Update: Updated axios library with the latest version (1.11.0)

Decryption key:

To view the content, you need to Sign In or Register.

Changelog​

• Feature: New Stripe integration; support 40+ payment methods, including ACH bank transfer
• Feature: WCAG 2.2 AA compliance on all forms; compliance with the European Accesibility Act (EAA)
• Feature: Support for Microsoft 365 SMTP OAuth
• Update: Updated dompdf library to v3.1.0 from 0.8.5
• Bugfix: Removed duplicate javascript event handler code that caused slow operations on large forms

Thanks to @ufukart

Changelog​

• Feature: Allow users to share forms on their own
• Feature: Added option to open a blank new form when running under “edit entry” mode
• Bugfix: User without ‘edit entry’ permission shouldn’t be able to see the edit link on entry
• Bugfix: ‘exif_read_data()’ warning message upon upload
• Bugfix: ‘mime_content_type()’ error message upon upload
• Bugfix: When default admin theme is not vibrant, user won’t be able to choose vibrant as their preferred theme
• Bugfix: Compatibility issue with the webhook sending incorrect Authorization: BASIC header
• Bugfix: Compatibility with PHP 7.4 when sending using SMTP
• Bugfix: Stripe compatibility issue with PHP 7.4
• Bugfix: Signature images has wrong path on windows server when MachForm installed on root domain
• Bugfix: On a single-page form, submitting a new form immediately after editing an entry will overwrite the data to the previously edited entry
• Bugfix: Edit entry on form with payment and ‘delay notification until paid’ turned on won’t resend notification
• Bugfix: Edit entry on form having payment enabled and review page will always redirect to payment page, even if the status already paid
• Bugfix: Saving error when the form is having ‘Allow Users to Save and Resume Later’ and ‘Allow Users to Edit Completed Submission’ turned on at the same time
• Bugfix: The “Default From Name” is not being used when creating new forms
• Bugfix: Improved accessibility with text captcha
• Bugfix: Improved accessibility on submit buttons
• Bugfix: New Stripe API keys are 255 characters long, the old one are 50 characters long
• Bugfix: Activity log not deleted when delete ALL entries, reset the entries ID or delete with MF_CONF_TRUE_DELETE enabled
• Bugfix: Entry’s ‘Date Created’ is being overwritten incorrectly when both Edit Entry and Resume feature enabled
• Bugfix: When email subject is having quotes characters and PDF enabled, the PDF can’t be attached
• Bugfix: Variable typo on confirm page
• Bugfix: Fixes error message ‘implode(): Passing glue string after array is deprecated’
• Bugfix: Date field can’t handle “is empty” condition on entries/grid page
• Bugfix: First attempt on solving captcha always resulted to failure
• Bugfix: When ‘enable choice limit’ turned on and limit has reached maximum, admin can’t edit the entry
• Bugfix: Webhook won’t be send any longer when the target URL doesn’t have path/only domain
• Bugfix: Added config option to enable/disable SQL debug mode
• Update: Internal CAPTCHA no longer uses session
• Bugfix: Theme not applied in form locked when user not set theme in their profile
• Bugfix: Entries column preferences not deleted when field has been deleted
• Bugfix: Removed hard coding on default name and from email address in logic notification
• Bugfix: mf.js generate console error message when receiving postMessage from external script

MAY 17, 2020

MachForm 14
Allow Form Users to Edit Completed Submission!

Howdy folks!
By default, once a form has been submitted by the end-users, the form data can’t be updated any longer by the end users and only admin having the ability to edit the data.
In some cases, you might need to allow your form users to modify their submission on a later date.
Using the Allow Users to Edit Completed Submission feature, you can do this easily. When you enabled this feature, the end-users will see an edit link on the success page of the form and receive a confirmation email containing the edit link as well (you’ll need to enable confirmation email on your form).

To enable this feature on your form, edit your form, click the Form Properties tab and click the show more options link. Then check the Allow Users to Edit Completed Submission option.

For more details, please check Allow Users to Edit Completed Submission in MachForm.
This new feature is part of the new version of MachForm (Version 14)
This update added new feature and bugfixes. We recommend you to upgrade due to improved functionalities within this release.

Changelog

• Feature: Allow Users to Edit Completed Submission
• Bugfix: Braintree payments deprecated issue
• Bugfix: Theme selection not available on user profile page when LDAP enabled
• Bugfix: On multipage form, logic emails are being sent twice when the skip page logic to success page is active
• Bugfix: Any field with field visibility “Hidden” and “required” at the same time is causing validation error and prevent the form from being submitted
• Bugfix: Submitting payment on Stripe for recurring payment with setup fee generate “Received unknown parameter: account_balance” error
• Bugfix: Resuming deleted incomplete entries shouldn’t be possible
• Bugfix: Can’t decrypt multi-field (address, name, etc) when there is empty field in the middle
• Bugfix: Editing/adding folder doesn’t work on Edge browser
• Bugfix: JPEG file sometimes uploaded with incorrect orientation