CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Profiles (Moderator: Dave Greenberg) »
  • Security of data with profiles used for Sign-up
Pages: [1]

Author Topic: Security of data with profiles used for Sign-up  (Read 1021 times)

rjeschmi

  • I’m new here
  • *
  • Posts: 6
  • Karma: 0
Security of data with profiles used for Sign-up
March 19, 2010, 11:32:34 am
Hi, I'll try to briefly outline the problem and follow-up with any questions people have.

My problem is that when a user submits data using a public form they can also change the ID in the URL allowing them to recover the Contact First Name and Last Name for other contacts in the database. I have everything locked down as tightly as I can and it refuses to give the profile to the user, but still offers the Name in the heading.


http://drupal.demo.civicrm.org/civicrm/profile/create?reset=1&gid=9

which leads to something like:

http://drupal.demo.civicrm.org/civicrm/profile/view?reset=1&id=161&gid=9

But if I change the id in that url I can browse through all the First Names and Last Names in the DB without being logged in.

Is this expected behaviour?

rjeschmi

  • I’m new here
  • *
  • Posts: 6
  • Karma: 0
Re: Security of data with profiles used for Sign-up
March 19, 2010, 04:42:57 pm
Here are some more examples of what I mean.

Iterate through the ids:
http://drupal.demo.civicrm.org/civicrm/profile/view?reset=1&id=151&gid=9

http://drupal.demo.civicrm.org/civicrm/profile/view?reset=1&id=2&gid=9

And you can see the name in the heading (but not in the data block)

petednz

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4899
  • Karma: 193
    • Fuzion
  • CiviCRM version: 3.x - 4.x
  • CMS version: Drupal 6 and 7
Re: Security of data with profiles used for Sign-up
March 19, 2010, 09:14:45 pm
Have you tried doing the same while logged out. Have you tested if this is an issue if the person does not have the requisite permissions to see data for other contacts?
Sign up to StackExchange and get free expert advice: https://civicrm.org/blogs/colemanw/get-exclusive-access-free-expert-help

pete davis : www.fuzion.co.nz : connect + campaign + communicate

rjeschmi

  • I’m new here
  • *
  • Posts: 6
  • Karma: 0
Re: Security of data with profiles used for Sign-up
March 20, 2010, 09:05:44 am
Quote
Have you tried doing the same while logged out. Have you tested if this is an issue if the person does not have the requisite permissions to see data for other contacts?

Yes if you aren't logged into the demo you see the Name of the contact in the header. If you follow the links I provided in the second email while logged out you'll see what I mean I think.

It is the same on my installation and "anonymous" is set to:
   yes - profile listings and forms
   yes - profile create
   no  - profile view

and no to most of the rest.

It seems like an information leak, but not sure if it is just a security setting problem on my end.
   

rjeschmi

  • I’m new here
  • *
  • Posts: 6
  • Karma: 0
Re: Security of data with profiles used for Sign-up
March 28, 2010, 05:19:00 pm
This is an acknowledged issue and workaround suggested here:http://issues.civicrm.org/jira/browse/CRM-4131

Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Profiles (Moderator: Dave Greenberg) »
  • Security of data with profiles used for Sign-up

This forum was archived on 2017-11-26.