Direct call to URL - default security issue

rperrett · April 13, 2022, 5:13am

I am sure that this wasn’t the case 5yrs ago, however I have just recently noticed the following which seems to be a pretty big security issue when using default setup/settings.

By default forms are created with “enable direct call to URL” set to on instead of off. This means that the once a user has logged in, they can open the form app directly and append the primary key as a get variable to view records they wouldn’t normally have access to. eg. /secure_form/?id=1234

I’m sure this used to be off by default as its a major security risk to have it turned on. Perhaps you also need to check your applications.

While I’m on the topic, is there a way to configure “use security” as ON by default? The setting is missing in project default values. Or am I missing something?

Thanks
Rob

Claudio_Senel · April 18, 2022, 1:18am

Check out this full video. At minute 1:33 there is the option to apply security to all applications. somehow answers your question.

best regards

rperrett · April 18, 2022, 1:29am

Yes its possible to apply to all, however off by default would be a much better option.

aamartinezz · April 19, 2022, 8:22pm

There is another security issue more important than that, which also requires manual implementation.

If you edit, add or delete a record that has a PK, but you use an intermediate proxy and modify the request and send another PK, the operation is applied to the second PK, which generates a privilege escalation.
The way to avoid this is to control in each received event that the returned data matches the data published by the form, can anyone find another way?

bye