LaCollision Posted February 23 Posted February 23 Hi, I've just realized that all applications information in JSON and XML formats is freely available on the web. For example: https://invisioncommunity.com/applications/core/data/schema.json https://invisioncommunity.com/applications/core/data/settings.json https://invisioncommunity.com/applications/core/data/furl.json => Isn't it dangerous to leave sensitive information such as the database structure of all applications, default settings, or even all existing URLs accessible? For example, settings.json contains the parameter recaptcha2_private_key… This applies not only to Invision applications, but also to third-party applications. Thank you,
Randy Calvert Posted February 24 Posted February 24 No... not really. Those are default values... not necessarily YOUR values. For example, settings.json has existed for literally a decade. The schema data is not sensitive data either. If an attacker can run direct queries on your database, you've got much bigger problems than knowing failed_login_count cannot be null or a default value is no. And for furls, if you're not using them, you would see the complete URL anyway. There is no extra security by going to /login vs /index.php?app=core&module=system&controller=login If someone is REALLY that interested in knowing the default out of the box settings as an attacker, they could simply download the software source code itself (legally or illegally) to find them. But there is nothing there that exposes anything about your install vs a vanilla fresh/clean install. Daniel F, Jim M, DawPi and 1 other 3 1
Daniel F Posted February 24 Posted February 24 Exactly:) There‘s nothing to worry about about the data there.
LaCollision Posted February 26 Author Posted February 26 I'm well aware that these files have been there for eternity; for so long that we no longer even question their existence. Well, I find that freely exposing the structure of databases, application parameters (even if these are their default values), or all URLs, well, I don't find that very reassuring for a potential customer. Publicly displaying database structures mechanically exposes applications to SQL injection attacks much more easily.
Marc Posted February 26 Posted February 26 Im pretty sure anyone who has a mind to want to 'hack' your site, will be able to get the database structure very easily. The default values are also very easily obtained, just by installing the software yourself and taking a look.
LaCollision Posted February 26 Author Posted February 26 Of course, anyone can retrieve the basic structure of Invision applications, no doubt about it. But for developers who sell their applications to customers, I find this rather awkward. Let's imagine an important customer who orders an application to enhance his Invision community site. And let's imagine that this application contains more sensitive information than the default Invision databases. The developer will create an application specifically for the customer's needs. And I don't find it particularly comfortable to tell the customer "Yes, your database structure is freely accessible on the web, but don't worry, it's not a big deal".
Esther E. Posted February 26 Posted February 26 7 minutes ago, LaCollision said: Of course, anyone can retrieve the basic structure of Invision applications, no doubt about it. But for developers who sell their applications to customers, I find this rather awkward. Let's imagine an important customer who orders an application to enhance his Invision community site. And let's imagine that this application contains more sensitive information than the default Invision databases. The developer will create an application specifically for the customer's needs. And I don't find it particularly comfortable to tell the customer "Yes, your database structure is freely accessible on the web, but don't worry, it's not a big deal". Coming at this from the perspective of a 3rd party developer (since 2007)... what kind of sensitive data could possibly be there? The only type of scenario coming to my head is a government contract, something classified (I've worked on one of those). Something like that would be installed on a server so secure, that the json files are not exactly a concern. And probably would be within a VPN.
LaCollision Posted February 26 Author Posted February 26 Not to mention a government website. Any respectable-sized company today has become so procedural that they make you sign a 4 zillion-page document when you want to develop an HTML page for their website. All I'm saying is that, as a developer, exposing the database structure of a customer's application is really frowned upon. The reasons are obvious. There shouldn't even be a debate about this.
Randy Calvert Posted February 26 Posted February 26 If your approach to security is to employ “security by obscurity” you should not be using regular commercial off the shelf software. 😉
LaCollision Posted February 26 Author Posted February 26 1 minute ago, Randy Calvert said: If your approach to security is to employ “security by obscurity” you should not be using regular commercial off the shelf software. 😉 Thanks for your sound advice, I'll keep that in mind.
Recommended Posts