Data Security Issue After Submitting Data

[antonitus]

After updating to Joomla 3.9.8 (maybe versions before this). I noticed that when I submit a form, it gets successfully sent, but after submission, someone else's data in the database shows on the form.
This is a real privacy issue and therefore a security threat. I've never seen this before when I first created this form and no settings have been changed since creating it.

What I noticed also is that time and time again when I submit a form, you can see the other persons data on the URL section of the browser. Whatever data I sent, I always see another person's id number, such as 135. That id corresponds to that other person's data. This is a very strange issue.

Also, just to let you know, I thought it may have been an incompatibility issue between an older Fabrik version to Joomla's latest version, but this was not the case as I installed the latest Fabrik version 3.9 as of today.

Can a member of the dev team please look into this as I cannot use Fabrik because of this issue. I disabled the contact us form until I can find a fix.

What I'm using:
Fabrik 3.9 (installed today)
Joomla 3.9.8 (latest)
Chrome Browser (gets regularly updated)

Thanks.

 

[troester]

Latest Joomla is 3.9.13, but anyway...
No idea what you mean, can you add some screenshots etc?
Are you redirecting after submit to anywhere, e.g. an existing record? If yes, how?

If you want to prevent anybody (or public or...) to see Fabrik records you must set the appropriate list access settings.
E.g. if guests are only allowed to add data into a new (empty) Fabrik contact form set only "Add records" to public in your Fabrik list access.

 

[antonitus]

Thanks for responding.

As you can see in the URL (red circle), id of 135 belongs to someone else who submitted that data a few years ago.
The new submitted data id is 552 and many others. It doesn't matter how many times I submit different data with different emails and names, it always ends up showing that user with id 135 in the entry fields that I blanked out in the fields below.
I hope this makes more sense now. If you need any other information, please let me know.
Thanks
P.S. I thought I already had the latest Joomla version as my Joomla did not show an update when I refreshed the cache in the update page.

 

[cheesegrits]

How do you have that menu item configured?

-- hugh

 

[troester]

So the 1st thing you should do is to set correct access settings to your list.
Everybody can type any URL like ...form/1/some_number and would see the data of this person if you have record view access = public.

 

[antonitus]

Thanks guys for helping me. It is much appreciated

Can you please bare with me as it is has been many years since I set this up and my memory is not what it used to be.

troester
How can I set access to it? Do I do it with each element or just the Send (Submit) element? Or somewhere else?

cheesegrits
Where do I start to tell you how I have the menu item configured. Where do I look? Sorry, it's been a while.

Just to let you know that when I first created this many years ago, this never happened and I did not change anything in the settings. This only happened during updates.
Also, whatever I do, id 135 is only record that shows up. The others don't and I have over 100 submitted records. I could delete that record to see if another one replaces it.

Thanks

 

[troester]

List access settings: edit your list, set only "Add records" to public

Edit your form: do you have any plugin added?

Menu item: Assuming you have a menu item type "Fabrik form", what are your settings?

 

[antonitus]

Thanks for you help again.
Changing my list to what you have on the screenshot, didn't help as it gave me 2 errors:

1. Sorry, but you are not authorised to edit this record
2. Error
You are not authorised to view this resource.

This did remove the form after submitting, but this is not the issue. The issue is that in the browsers URL, it keeps on showing id 135, which is someone else's id and data, i.e. the same record again.
Ideally I want to remove any trace of this url with any id numbers after submitting and to have a blank form as it stays on the same page.

Could this be a security and privacy issue?
I could be lucky and make up any numbers and find people's personal details.

Is there a way to remove this sensitive URL with an id number after submitting?
Thanks.

 

[troester]

I could be lucky and make up any numbers and find people's personal details.

This is exactly why you always must set appropriate list access settings.
Now anybody who tries will get the error messages but no data.

The wrong URL must be something coming from your form (e.g. redirect plugin) or menu item settings.

As @cheesegrits and I said before: check your form settings and your menu item settings.

 

[antonitus]

It's been such a long time, I need to refresh what I did a few years ago.

Sorry, I don't know where to find that Menu Item.
In the plugin section, I have 'redirect', 'email' and 'receipt' set up on the form. I tried different settings. For example, one that removed that URL with that form and id data, but the browser keeps on wanting to validate the email address. It comes from the browser as a tiny pop up windows appears on top of the page.
Also, how can I just remove that URL info, i.e. .1/135, etc. And why does it always show the 135 id, which is another user on the database from years ago. That needs to be addressed if there is a bug. This only happened during the both Joomla and Fabrik upgrades as this never ever happened during the time I created the form using Fabrik 3.7+.

As a test, I unpublished the 'redirect' plugin and it looks like this is ok, nor data in the url, although I have to have it because I added some acymailing newsletter subscription code, which you guys helped me do a few years ago. Without the 'redirect' plugin, I would assume the user does not automatically get subscribed in the newsletter after submission.
After all these years, is there another way to achieve newsletter subscription without the redirect plugin as it uses the 'Jump Page' and 'Condition' code option? (another issue of course). Thanks.

 

[antonitus]

Forgot to add screenshots for above message:
When I set 'Save and Next' to 'No',


And then I submit the form I get this pop email validation message:

I have to click on OK to move on back to the form.

 

[troester]

After submit Fabrik is redirecting to the URL you set in "Jump page", so acymailing in your case.

I think the "valid e-mail" popup is coming from acymailing, it's not Fabrik.

What is your complete Jump URL?
I have to use the correct acymailing parameters (I don't know if user[name] and user is the format they need) and the correct Fabrik placeholders for the recent component versions.
{name} and {email} are no Fabrik element placeholders, the format is (since long time ago) the full element name, so {your-table___your-element}
resp. to make sure to get the unformatted input {your-table___your-element_raw}

 

[antonitus]

Thank you for your response again.

Yes that is correct, it jumps to acymailing, but only in the background as it never actually goes to an acymailing page. You'll know better than me.

Here is the entire jump URL:


URL (text format):
index.php?option=com_acymailing&ctrl=sub&task=optin&hiddenlists=1&user[name]={name}&user={email}

Thanks.

 

[antonitus]

I also have some code in the 'Condition' box:


There's more code that is not showing in this screenshot.

 

[troester]

No idea if your URL params are correct for subscribing to acymailing, I don't have it installed.
I'm pretty sure it's going to the acymailing page because the validation error popup is not coming from Fabrik (if you don't have a heavily modified Fabrik form template including custom Javascript).
So the URL you see afterwards is also coming from acymailing.
For testing turn off SEF URLs to see the "raw" params. Maybe this will give a hint why it's setting a record id.

Is it working if you are typing the URL with hardcoded name and email?

In any case you must use {contact_us___email_address_raw}, not {email} in the Jump URL

Menu item: it's your Joomla menu item type "Fabrik form".

 

[antonitus]

Every time I submit, it goes back to the same contact us form, i.e. the Fabrik form. It's only working in the background.
Interesting that you say that URL is coming from Acymailing. If it wasn't for this, I would remove the 'redirect' plugin. I wonder if this happens to anyone else. Like I said, this never happened before, so I would assume the updates are causing this.
This is the URL after submission:
https://www.xxxxx.com/about-us/contact-us/form/1/135?contact_us___date_time=2019-12-12+15%3A41%3A00&contact_us___id=593&contact_us___full_name=Firstname+Surname&contact_us___email_address=email%40gmail.com&contact_us___country=United+Kingdom&contact_us___subject=General&contact_us___game_enquiry=&contact_us___comments=&contact_us___hear_about_us=
That 135 id always shows. Something is wrong there. The id of this submitted form is 593 so I would assume the id 135 would be replaced with id 554. Could this be a bug maybe??

As far as I aware, I don't have SEF URL's... or do I. I will have to check if it is a Joomla 3+ option.

If I type the above URL and add a different name and email and any other data, I can click on enter and it will enter the new data in the form. I then click on the Captcha validation and it actually overwrites the previous data in id 593 even though in the URL it is id 135. This is very odd and is really a security & privacy issue. Something is wrong. Fabrik must not behave this way. I think it mainly has something to do with linking to Acymailing. Has anything changed in the last few years?

I will try the {contact_us___email_address_raw} now.

Thanks.

 

[antonitus]

Aha, something has changed when I replaced {email} with {contact_us___email_address_raw}. The id in the URL is now showing the correct id, which is great, however the only problem is that it is automatically subscribing that user to the acymailing newsletter and legally that is not allowed, Due to GDPR, the user must have the option to subscribe or not. Since this change, after submission, the form does not show anymore, which is ok, I don't mind that because the data has already been submitted.
We are nearly getting there so it looks like acymailing is causing it and the code must have changed since the last time I created it.

Also, when I select 'No' in the 'Save and Next' option in the 'redirect' plugin, the id in the URL is gone. It only shows the form number, which is number 1 in my case and that is great. It should be like that.
Thanks.

 

[troester]

I just saw that you enabled "Save and next" in your redirect plugin, turn it off!
The tooltip says

If selected, all other options are ignored and we will redirect to edit the next rowid, subject to whatever filtering is in effect on the list

So yes, with this option you'll show the next record (or maybe first, if adding a new record) to the user. This doesn't make sense and will expose data if you don't have appropriate access settings and/or prefilters.
Additionally you don't need "Append data"

 

[antonitus]

Ok, they are both set to 'No'.
This is the URL link I get now:
https://xxxxxx.com/index.php?option=com_acymailing&ctrl=sub&task=optin&hiddenlists=1&user[name]={name}&user=xxxxxx@gmail.com[/URL]

After submission, the form has disappeared, which is far better now. I get the following info.
The top is ok and normal, but the next bottom one (in blue) shouldn't be there as I did not chose to subscribe to the newsletter. In this case it is stating that I am already subscribed. If not, it would tell me that I am subscribed.


This now leaves us to the fact that it automatically subscribes the user to the acymailing newsletter database without opting into it, which is illegal now due to the GDPR law. I have an option on the form to allow people to subscribe to the newsletter or not i.e. a Yes checkbox. If left blank, then they are not subscribed. It worked well for a long time.

 

[antonitus]

This is the 'Condition' code in the 'redirect' plugin:


$myEmail = '{contact_us___email_address}';
$myName = '{contact_us___full_name}';
//$newsletter = '{contact_us___newsletter_raw}';
$newsletter = '{contact_us___newsletter}';
if (!empty($myEmail)) {
if (! include_once JPATH_ADMINISTRATOR . '/components/com_acymailing/helpers/helper.php')
{
throw new RuntimeException("Acymailing not installed");
return false;
}

//Option to allow user to subscribe to newsletter
if ($newsletter != "Yes"){
return;
}
//if (empty($newsletter) {
// return;
//}

$myUser = new stdClass();
$myUser->email = $myEmail;
$myUser->name = $myName;

//If you require a confirmation but don't want the user to have to confirm his subscription via the API, you can set the confirmed field to 1:
//$myUser->confirmed = 1;
$subscriberClass = acymailing_get('class.subscriber');
$subid = $subscriberClass->save($myUser);
$newSubscription = array();
$newList = array();
$newList['status'] = 1;
$newSubscription[1] = $newList; // Replace 2 with the ID of the list.
$subscriberClass->saveSubscription($subid,$newSubscription);
// This line generates a submission output to let the user know that they have been subscribed to the newsletter, plus other info - A Joomla code that works
//JFactory::getApplication()->enqueueMessage('Thank you for submitting the form. A member of our team will contact you shortly. You have also opted to subscribe to our newsletters.');
// This line generates the same newsletter subscription as the above Joomla code, but this is the Acymailing code instead
acymailing_enqueueMessage("Thank you for submitting the form. A member of our team will contact you shortly. You have also opted to subscribe to our newsletters.", "success");
//$listsubClass = acymailing_get('class.listsub');
//$userSubscription = $listsubClass ->getSubscription($subid);
}