JSON and XML applications files freely available

LaCollision · February 23

Hi,

I've just realized that all applications information in JSON and XML formats is freely available on the web.

For example:

https://invisioncommunity.com/applications/core/data/schema.json

https://invisioncommunity.com/applications/core/data/settings.json

https://invisioncommunity.com/applications/core/data/furl.json

=> Isn't it dangerous to leave sensitive information such as the database structure of all applications, default settings, or even all existing URLs accessible?

For example, settings.json contains the parameter recaptcha2_private_key…

This applies not only to Invision applications, but also to third-party applications.

Thank you,

Randy Calvert · February 24

No... not really. Those are default values... not necessarily YOUR values. For example, settings.json has existed for literally a decade. The schema data is not sensitive data either. If an attacker can run direct queries on your database, you've got much bigger problems than knowing failed_login_count cannot be null or a default value is no. And for furls, if you're not using them, you would see the complete URL anyway. There is no extra security by going to /login vs /index.php?app=core&module=system&controller=login

If someone is REALLY that interested in knowing the default out of the box settings as an attacker, they could simply download the software source code itself (legally or illegally) to find them. But there is nothing there that exposes anything about your install vs a vanilla fresh/clean install.

Daniel F · February 24

Exactly:)

There‘s nothing to worry about about the data there.

LaCollision · February 26

I'm well aware that these files have been there for eternity; for so long that we no longer even question their existence.

Well, I find that freely exposing the structure of databases, application parameters (even if these are their default values), or all URLs, well, I don't find that very reassuring for a potential customer.
Publicly displaying database structures mechanically exposes applications to SQL injection attacks much more easily.

Marc · February 26

Im pretty sure anyone who has a mind to want to 'hack' your site, will be able to get the database structure very easily. The default values are also very easily obtained, just by installing the software yourself and taking a look.

LaCollision · February 26

Of course, anyone can retrieve the basic structure of Invision applications, no doubt about it.

But for developers who sell their applications to customers, I find this rather awkward.
Let's imagine an important customer who orders an application to enhance his Invision community site. And let's imagine that this application contains more sensitive information than the default Invision databases.
The developer will create an application specifically for the customer's needs.

And I don't find it particularly comfortable to tell the customer "Yes, your database structure is freely accessible on the web, but don't worry, it's not a big deal".

Esther E. · February 26

7 minutes ago, LaCollision said:

Of course, anyone can retrieve the basic structure of Invision applications, no doubt about it.

But for developers who sell their applications to customers, I find this rather awkward.
Let's imagine an important customer who orders an application to enhance his Invision community site. And let's imagine that this application contains more sensitive information than the default Invision databases.
The developer will create an application specifically for the customer's needs.

And I don't find it particularly comfortable to tell the customer "Yes, your database structure is freely accessible on the web, but don't worry, it's not a big deal".

Coming at this from the perspective of a 3rd party developer (since 2007)... what kind of sensitive data could possibly be there? The only type of scenario coming to my head is a government contract, something classified (I've worked on one of those). Something like that would be installed on a server so secure, that the json files are not exactly a concern. And probably would be within a VPN.

LaCollision · February 26

Not to mention a government website.
Any respectable-sized company today has become so procedural that they make you sign a 4 zillion-page document when you want to develop an HTML page for their website.

All I'm saying is that, as a developer, exposing the database structure of a customer's application is really frowned upon.
The reasons are obvious. There shouldn't even be a debate about this.

Randy Calvert · February 26

If your approach to security is to employ “security by obscurity” you should not be using regular commercial off the shelf software. 😉

LaCollision · February 26

1 minute ago, Randy Calvert said:

If your approach to security is to employ “security by obscurity” you should not be using regular commercial off the shelf software. 😉

Thanks for your sound advice, I'll keep that in mind.

Invision Community 4: SEO, prepare for v5 and dormant account notifications

Invision Community 5: Beta testing and latest updates

Invision Community 4: A more professional report center

Invision Community 5: A video walkthrough creating a custom theme and homepage

JSON and XML applications files freely available

Recommended Posts

LaCollision

Randy Calvert

Daniel F

LaCollision

Marc

LaCollision

Esther E.

LaCollision

Randy Calvert

LaCollision

Recently Browsing 0 members

More