CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site

This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Core CiviCRM Functions (Moderator: Yashodha Chaku) »
  • just checking security
Pages: [1]

Author Topic: just checking security  (Read 1196 times)

davesage

  • I post frequently
  • ***
  • Posts: 153
  • Karma: 3
  • CiviCRM version: 3.4 & 4.1
  • CMS version: Joomla 1.5 & 2.5
  • MySQL version: 5.1
  • PHP version: 5.3
just checking security
August 02, 2011, 05:32:42 pm
Hi,

I was just checking something about hard coding a profile url onto a page so I can open a contact edit form.

What concerned me was that non-logged in users seem to be able to use a standard url and get access to profiles that I've not published via a menu link.

I know that if the profile data fields are set to 'user and user admin' they can't see the data but they could still inject new contacts into the database by going to this standard url - guessing a low number and filling in the profile and hitting save?

Is this expected behaviour?

I tried it on joomla demo using this link with the same results.

http://joomla.demo.civicrm.org/index.php?option=com_civicrm&task=civicrm/profile/edit&reset=1&gid=1

interestingly someone has set that profile to be public and seachable so just hitting cancel brought back all contacts names etc..

Humm..

I just want to ensure that there is NO way of any public person or any contact seeing anyone elses data as that would be a data protection issue for the org I'm working with.

How can I stop public users adding contacts in this way?

Cheers, sorry if I'm worrying about nothing here.

Dave

davesage

  • I post frequently
  • ***
  • Posts: 153
  • Karma: 3
  • CiviCRM version: 3.4 & 4.1
  • CMS version: Joomla 1.5 & 2.5
  • MySQL version: 5.1
  • PHP version: 5.3
Re: just checking security
August 03, 2011, 01:30:14 am
Also, just noticed that if I add the parameter &id=N to a contact profile in the front end as a public user the form that loads shows you the contacts name but no other fields.

All fields are set to user & user admin which is why the profile is not showing any fields but I'm surprised to see the contacts name in the title?

Is there any way for me to hide the title as well as the fields when it isn't the logged in users contact being viewed. I wasn't expecting peoples names to be shown to public people by just putting in random id numbers on the end of a url?

Does this mean that someone could harvest the full list of contact names in the dbase by just incrementing the id number on the out of the box profile 'name and address'.

Thoughts and suggestions would be appreciated,

Dave

davesage

  • I post frequently
  • ***
  • Posts: 153
  • Karma: 3
  • CiviCRM version: 3.4 & 4.1
  • CMS version: Joomla 1.5 & 2.5
  • MySQL version: 5.1
  • PHP version: 5.3
Re: just checking security
August 04, 2011, 01:17:42 am
Any thoughts on this issue with public people being able to see the names in the dbase by using the id= param?

I really need to ensure people can't see other people's names.

I looked in the template files but I think Title (and it shows on the browser title as well) must be driven by something else, is it in the php files intead of the template files?

Cheers,

Dave

Kurund Jalmi

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4169
  • Karma: 128
    • CiviCRM
  • CiviCRM version: 4.x, future
  • CMS version: Drupal 7, Joomla 3.x
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: just checking security
August 04, 2011, 01:21:59 am
You can disable Used For "Profile" checkbox in profile settings and then you won't be able to access profile.

Kurund
Found this reply helpful? Support CiviCRM

davesage

  • I post frequently
  • ***
  • Posts: 153
  • Karma: 3
  • CiviCRM version: 3.4 & 4.1
  • CMS version: Joomla 1.5 & 2.5
  • MySQL version: 5.1
  • PHP version: 5.3
Re: just checking security
August 04, 2011, 01:30:43 am
That is fine if I didn't want to use the profile within legitimate event reg pages and donation pages.

I need to use the profiles to collect data from public people in order for them to sign up and donate, I just wasn't expecting these same profiles to be able to view other contacts data by using this switch?

Cheers,

Dave

Is the name of the contact within the title of the profile a special feature of the built in 'Name Address' profile? If it is, then I can create a custom profile with those fields that won't show the name in the title, if it is automatically on all profiles that are linked to contacts then that might be a bit more tricky?

davesage

  • I post frequently
  • ***
  • Posts: 153
  • Karma: 3
  • CiviCRM version: 3.4 & 4.1
  • CMS version: Joomla 1.5 & 2.5
  • MySQL version: 5.1
  • PHP version: 5.3
Re: just checking security
August 04, 2011, 01:37:23 am
More scary, just found that if you guess a profile id that has mapping enabled and you hit a contact id with the switch, you don't see any data but a link to 'map primary address' if you click this it takes you to a google map showing where that contact lives!!

This is (while not logged in) on the public front end of the website!

Surely this has got to be a security problem?

Or am I really missing something?

Cheers,

Dave

petednz

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4899
  • Karma: 193
    • Fuzion
  • CiviCRM version: 3.x - 4.x
  • CMS version: Drupal 6 and 7
Re: just checking security
August 04, 2011, 01:45:48 am
can you paste a link to such a profile on the demo site?
Sign up to StackExchange and get free expert advice: https://civicrm.org/blogs/colemanw/get-exclusive-access-free-expert-help

pete davis : www.fuzion.co.nz : connect + campaign + communicate

davesage

  • I post frequently
  • ***
  • Posts: 153
  • Karma: 3
  • CiviCRM version: 3.4 & 4.1
  • CMS version: Joomla 1.5 & 2.5
  • MySQL version: 5.1
  • PHP version: 5.3
Re: just checking security
August 04, 2011, 01:52:01 am
Just sanity checking my understading here:

I thought that if my profiles and their fields were set to 'user & user admin' then no public people could view data and front end users could only see their own data for their contact linked to their joomla user?

For public people without an account they can still sign up/donate/event reg. using these profiles as they create the contact on save but then they can;t view that data until the create an account and login.

If my thinking is correct then it is just that I can see a contact's name and where they live on a map if I guess the prifile id and contact id - which isn't hard.

I know I can turn off mapping on all profiles but I was expecting to be able to use that for people when logged in to see themselves on a map with no security issues as they are all set to 'user & user admin'

Am I just misunderstanding, or is this a Joomla 1.5 issue.

My worry is that there are other ways I've not found to see into the contact dbase as a public person?

The ord I am working with obviously want their contact data to be 100% secure from being looked at by non-authorised people, (IE public can't see ANYTHING and users can ONLY see their OWN data)

sorry, just in a panic having found these loopholes.

Not sure how I now secure the system in order to allow them to use it with confidence that their data is secure?

Cheers,

Dave

davesage

  • I post frequently
  • ***
  • Posts: 153
  • Karma: 3
  • CiviCRM version: 3.4 & 4.1
  • CMS version: Joomla 1.5 & 2.5
  • MySQL version: 5.1
  • PHP version: 5.3
Re: just checking security
August 04, 2011, 02:01:19 am
I updated the demo profile 1 'name and address' to have all fields 'user & user admin only'

use this url

http://joomla.demo.civicrm.org/index.php?option=com_civicrm&task=civicrm/profile/view&reset=1&gid=1&id=2

you'll see the link to the map

Apologies about the name in the title, I've found out what I've done to show that, I'd left one field (groups, as public) so it wasn't showing anything on the form but it must have allowed the title to show. I changed this last field on the profile to user & user admin and it has remove the title, phew!

Apologies, I don't mean to panic, just this is important data protection stuff.

The map thing is still showing though, althoug the demo doesn't have a key.

Thanks for looking into this
« Last Edit: August 04, 2011, 02:52:48 am by davesage »

davesage

  • I post frequently
  • ***
  • Posts: 153
  • Karma: 3
  • CiviCRM version: 3.4 & 4.1
  • CMS version: Joomla 1.5 & 2.5
  • MySQL version: 5.1
  • PHP version: 5.3
Re: just checking security
August 04, 2011, 03:55:38 am
ok, just set joomla demo to use Google mapping and a dummy key.

Go to the url above and click on map primary address, click ok on the api key warning and you see the contact on the map!

If you click on the contact icon the bubble shows all his address details.

Here is the url of the page with the map:

http://joomla.demo.civicrm.org/index.php?option=com_civicrm&task=civicrm/profile/map&reset=1&pv=1&cid=2&gid=1

again you can change the cid in this url and see any contacts info if they are mapped.

Definitely turning off mapping for all profiles for the moment.

Cheers,

Dave


davesage

  • I post frequently
  • ***
  • Posts: 153
  • Karma: 3
  • CiviCRM version: 3.4 & 4.1
  • CMS version: Joomla 1.5 & 2.5
  • MySQL version: 5.1
  • PHP version: 5.3
Re: just checking security
August 04, 2011, 04:04:00 am
turned mapping off for the profile but the standard url above still pulls up the map with the contact on and their address in the balloon.

try the same url:

http://joomla.demo.civicrm.org/index.php?option=com_civicrm&task=civicrm/profile/map&reset=1&pv=1&cid=2&gid=1

and you'll see the map.

You can change tht gid= to any number and it shows?

How do I turn this map behaviour off?

Cheers,

Dave

PS - I've turned off mapping for the whole site by just setting mapping provider to '-select-' in the admin section but this obviously means that mapping in the backend won't work. Better that for now until the front end mapping is secure. Shall I raise a bug in Jira?
« Last Edit: August 04, 2011, 04:10:29 am by davesage »

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: just checking security
August 04, 2011, 07:11:32 am

Yes, can you please file a bug. In general the "permissioning" support in J1.5 and before is fairly weak IMO

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

davesage

  • I post frequently
  • ***
  • Posts: 153
  • Karma: 3
  • CiviCRM version: 3.4 & 4.1
  • CMS version: Joomla 1.5 & 2.5
  • MySQL version: 5.1
  • PHP version: 5.3
Re: just checking security
August 04, 2011, 10:23:11 am
Will do.

Does the comment about permissioning being weak in J1.5 suggest that there may be other areas where data might be viewable by people when we want everything to be hidden? There must be data protection implications if so?

Is there any way to easily highlight/find other vulnerable urls?

I take it the only way forward to be sure of data security is therefore to move to J1.7 and civi4 with ACLs?

Thanks,

Dave

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: just checking security
August 04, 2011, 11:53:14 am

We are not aware of any open data security issues with J! 1.5 + Civi 3.4. My comment was more along the lines:

In J1.5 and prior, things are either open or closed. We've tried to restrict whats open as much as possible

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Core CiviCRM Functions (Moderator: Yashodha Chaku) »
  • just checking security

This forum was archived on 2017-11-26.