Security level - some considerations

Hi,

I've recently realized how easy it could be for someone to list some hidden tables.

In several apps, I use a lot of Fabrik's list together with a private area on the front (intranet, extranet). Most of the list are displayed through J! menus. These menus are reserved to some J! users access levels. Thus, public visitors can't have access to these lists. I use to carefully tuned them regarding ACL permissions. Except if there are good reasons for that (public access data), almost none of these rights are under the registred level.

Even on a SEF enable site, it's easy for someone (or a bot) knowing a little bit of Joomla and Fabrik, to test url like www.mysite.com/index.php?option=com_fabrik&view=list&listid=X
For most of them the answer will be a 500 error with an "incorrect list id" message (which is a proof of the Fabrik engine presence if you have no htacess redirection on this error number). For all the list used on the private part, the answer will be something like "you do not have right to access this ressource". Which is also a kind of encouragement to test further.

I also use some "service tables" to store parameters, internal rights, logs, n-m relationships table and so on. Most of them are not used in menus. There are used in DBjoin element, CDD, Php plugin etc... They are "hidden", so I've missed to change the ACL since I never "call" them directly on the front part of the app. These tables show up nicely with all their data after some tries on the listid number ! Including the #__users one I use frequently to check the app's right against the logged user.

Of course, this is not a Fabrik problem. I should have check ACL on all the list. It's a "programmer failure".

However, I think it could help to have the default ACL level on list creation set to "registred" rather than "public". Or at least that a parameter should give us the opportunity to set this default value for all further list creation. Or, ideally, to have a kind of batch process allowing us to set ACL on all the list.

Another solution I'll probably use meanwhile is to modify the default list template so that it throw a kind of "error 404 message" instead of displaying the table's data. But I guess I need to do it also for the detail and form template.

Just some thoughts......

 

Some SQL I've used to figure how many list where involved and modify ACL for those left in the "default" mode.
If it may help. Use with caution. It may break your setup. Always backup before modify anything directly in the Fabrik's tables.

 

Don't know what is "content_type feature" ? What are you talking about ?

Meanwhile I wrote a "quick'n dirty little script" to check a given url again possible "open" lists.
I put it here in case some one would like to play with it and/or improve it. There is a lot to do !

May be such a tool could be included in Fabrik core ? I would imagine some "magic url" like :
...index.php?option=com_fabrik&checkacl
which would go through all the lists verifying acl vs current registered user (or not). Debug switch dependent of course.

 

Yes of course I know it. Indeed, could be a nice way to set some kind of default setup for further list creation.
I usually don't use it as I prefer set table dependent name for the columns (cust_id, cust_name, cust_address, etc...). I know Fabrik does it already with the "full name" but it makes things easier on big app with a lot of elements and external scripts doing extensive additional SQL.

 

It would be really cool to have default access configurations, for lists and elements, in the Fabrik Global Configuration. Is that a big ask?

 

A lot of tedious coding for you, but potentially hours less tedious configuring for me