lcollong
FabriKant d'applications web
Hi,
I've recently realized how easy it could be for someone to list some hidden tables.
In several apps, I use a lot of Fabrik's list together with a private area on the front (intranet, extranet). Most of the list are displayed through J! menus. These menus are reserved to some J! users access levels. Thus, public visitors can't have access to these lists. I use to carefully tuned them regarding ACL permissions. Except if there are good reasons for that (public access data), almost none of these rights are under the registred level.
Even on a SEF enable site, it's easy for someone (or a bot) knowing a little bit of Joomla and Fabrik, to test url like www.mysite.com/index.php?option=com_fabrik&view=list&listid=X
For most of them the answer will be a 500 error with an "incorrect list id" message (which is a proof of the Fabrik engine presence if you have no htacess redirection on this error number). For all the list used on the private part, the answer will be something like "you do not have right to access this ressource". Which is also a kind of encouragement to test further.
I also use some "service tables" to store parameters, internal rights, logs, n-m relationships table and so on. Most of them are not used in menus. There are used in DBjoin element, CDD, Php plugin etc... They are "hidden", so I've missed to change the ACL since I never "call" them directly on the front part of the app. These tables show up nicely with all their data after some tries on the listid number ! Including the #__users one I use frequently to check the app's right against the logged user.
Of course, this is not a Fabrik problem. I should have check ACL on all the list. It's a "programmer failure".
However, I think it could help to have the default ACL level on list creation set to "registred" rather than "public". Or at least that a parameter should give us the opportunity to set this default value for all further list creation. Or, ideally, to have a kind of batch process allowing us to set ACL on all the list.
Another solution I'll probably use meanwhile is to modify the default list template so that it throw a kind of "error 404 message" instead of displaying the table's data. But I guess I need to do it also for the detail and form template.
Just some thoughts......
I've recently realized how easy it could be for someone to list some hidden tables.
In several apps, I use a lot of Fabrik's list together with a private area on the front (intranet, extranet). Most of the list are displayed through J! menus. These menus are reserved to some J! users access levels. Thus, public visitors can't have access to these lists. I use to carefully tuned them regarding ACL permissions. Except if there are good reasons for that (public access data), almost none of these rights are under the registred level.
Even on a SEF enable site, it's easy for someone (or a bot) knowing a little bit of Joomla and Fabrik, to test url like www.mysite.com/index.php?option=com_fabrik&view=list&listid=X
For most of them the answer will be a 500 error with an "incorrect list id" message (which is a proof of the Fabrik engine presence if you have no htacess redirection on this error number). For all the list used on the private part, the answer will be something like "you do not have right to access this ressource". Which is also a kind of encouragement to test further.
I also use some "service tables" to store parameters, internal rights, logs, n-m relationships table and so on. Most of them are not used in menus. There are used in DBjoin element, CDD, Php plugin etc... They are "hidden", so I've missed to change the ACL since I never "call" them directly on the front part of the app. These tables show up nicely with all their data after some tries on the listid number ! Including the #__users one I use frequently to check the app's right against the logged user.
Of course, this is not a Fabrik problem. I should have check ACL on all the list. It's a "programmer failure".
However, I think it could help to have the default ACL level on list creation set to "registred" rather than "public". Or at least that a parameter should give us the opportunity to set this default value for all further list creation. Or, ideally, to have a kind of batch process allowing us to set ACL on all the list.
Another solution I'll probably use meanwhile is to modify the default list template so that it throw a kind of "error 404 message" instead of displaying the table's data. But I guess I need to do it also for the detail and form template.
Just some thoughts......