Export – Security Issue Resolved?
-
Hi there,
I use the original CFDB plugin and would consider using your version however one of the setbacks of the plugin is the export feature.
The example below is what the export feature generates, i.e. a url with the export format, form name and you can then append other show/hide parameters:
The problem is, if you are looking to use the export feature to let a user see all of their submissions i.e. by appending the parameter as follows:
Then the user can simply delete the “&User=DemoUsername” from the url and export all of the form data.
If this something you have fixed or are looking to fix?
For example, could it work in the same way that an API does, i.e. the export feature only works if the “&User=DemoUsername” is present in the url along with the users Username and Password?
Thanks,
S
-
Hey,
That’s just an example field which you could use to provide a user a feed of their submissions, you would need to filter results for that user only and so as an example, I have assumed there is a column in the form names ‘User’, which stores the Username of the user.
The issue is when you create the export link, all somebody needs to do is remove this filter from the url and then they can export all of the forms data.
I would be keen to know if there is a plan to make this less vulnerable.
Well… i think that we can’t talk about a vulnerability here since we are arguing about a filter someone could remove… or not. And a filter… well… does his filtering job when it’s present… or not.
Anyhow, i think that you would be interested in a feature, capable of generating obfuscated export urls (with a filter inside) that you would share with someone. And this obfuscated link would obviously not be altered (cause it would be a unique string… refering to a particular export)
Am i right ?
- The topic ‘Export – Security Issue Resolved?’ is closed to new replies.
