DMXzone Server Connect Support Product Page

Not a problem

Security alert! - is all your data accessible?

Reported 28 May 2018 11:43:36
1
has this problem
28 May 2018 11:43:36 Hans Haverlach posted:
I just checked on one off my websites this:

If one knows the url of a server connect Action file stored in: /dmxConnect/api/..../****.php and opens the URL in the browser all data returned by that server action file is visible as json data in the browser.

For instance when you have a dynamic form, the action url of the Form point to a server connect file with the complete URL.

This is a very serious problem, unless perhaps I have missed something, but then please clarify how to prevent this from being possible.
Like to hear from you soon!

Replies

Replied 28 May 2018 13:12:45
28 May 2018 13:12:45 Teodor Kuduschiev replied:
Hello Hans,
What exactly your action contains?
Replied 28 May 2018 14:06:06
28 May 2018 14:06:06 Hans Haverlach replied:
Hello Teodor,

Well, that doesn't really matter I think.
Of course most of the time with a dynamic form it will be a insert/update action, so NOT returning data. But that was only an example.

In the source code of every app connect page that contains server connect files the path to the server connect files is visible. People (hackers) can get a view/guess of how my api structure is set up. And with a little guessing they might (with trial and error) change the file name part in the server connect file URL and get data that is not meant for them to access.

the api files URL's should not be known at all I think.
Replied 28 May 2018 14:28:04
28 May 2018 14:28:04 Teodor Kuduschiev replied:
Well it does matter... that is why i am asking ...

If you have some data that needs to be secured in the action you just need to add security restrict step at the top of action file, then nobody who's not logged in can see anything. Also - if you see what the server action returns you have enabled the "Output" options for some of the steps - that's why i am asking what your server action contains.
Replied 28 May 2018 15:26:12
28 May 2018 15:26:12 Hans Haverlach replied:
Thank you for replying Teodor.
Fair enough, that makes good sense.
I thought output was required to show the data where needed? For security I use a different system in CMS. But I will look into that option too.
Replied 28 May 2018 19:45:50
28 May 2018 19:45:50 Teodor Kuduschiev replied:
No, output is not needed for what is posted on the page. It is required for debugging purposes.

Reply to this topic