CiviCRM Community Forums (archive)

Also, just noticed that if I add the parameter &id=N to a contact profile in the front end as a public user the form that loads shows you the contacts name but no other fields.

All fields are set to user & user admin which is why the profile is not showing any fields but I'm surprised to see the contacts name in the title?

Is there any way for me to hide the title as well as the fields when it isn't the logged in users contact being viewed. I wasn't expecting peoples names to be shown to public people by just putting in random id numbers on the end of a url?

Does this mean that someone could harvest the full list of contact names in the dbase by just incrementing the id number on the out of the box profile 'name and address'.

Thoughts and suggestions would be appreciated,

Dave

You can disable Used For "Profile" checkbox in profile settings and then you won't be able to access profile.

Kurund

More scary, just found that if you guess a profile id that has mapping enabled and you hit a contact id with the switch, you don't see any data but a link to 'map primary address' if you click this it takes you to a google map showing where that contact lives!!

This is (while not logged in) on the public front end of the website!

Surely this has got to be a security problem?

Or am I really missing something?

Cheers,

Dave

Just sanity checking my understading here:

I thought that if my profiles and their fields were set to 'user & user admin' then no public people could view data and front end users could only see their own data for their contact linked to their joomla user?

For public people without an account they can still sign up/donate/event reg. using these profiles as they create the contact on save but then they can;t view that data until the create an account and login.

If my thinking is correct then it is just that I can see a contact's name and where they live on a map if I guess the prifile id and contact id - which isn't hard.

I know I can turn off mapping on all profiles but I was expecting to be able to use that for people when logged in to see themselves on a map with no security issues as they are all set to 'user & user admin'

Am I just misunderstanding, or is this a Joomla 1.5 issue.

My worry is that there are other ways I've not found to see into the contact dbase as a public person?

The ord I am working with obviously want their contact data to be 100% secure from being looked at by non-authorised people, (IE public can't see ANYTHING and users can ONLY see their OWN data)

sorry, just in a panic having found these loopholes.

Not sure how I now secure the system in order to allow them to use it with confidence that their data is secure?

Cheers,

Dave

ok, just set joomla demo to use Google mapping and a dummy key.

Go to the url above and click on map primary address, click ok on the api key warning and you see the contact on the map!

If you click on the contact icon the bubble shows all his address details.

Here is the url of the page with the map:

http://joomla.demo.civicrm.org/index.php?option=com_civicrm&task=civicrm/profile/map&reset=1&pv=1&cid=2&gid=1

again you can change the cid in this url and see any contacts info if they are mapped.

Definitely turning off mapping for all profiles for the moment.

Cheers,

Dave

Yes, can you please file a bug. In general the "permissioning" support in J1.5 and before is fairly weak IMO

lobo

We are not aware of any open data security issues with J! 1.5 + Civi 3.4. My comment was more along the lines:

In J1.5 and prior, things are either open or closed. We've tried to restrict whats open as much as possible

lobo