Support » Plugin: Contact Form 7 Database + | CFDB+ » Export – Security Issue Resolved?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author contactic

    (@contactic)

    Hello Fabbstar,

    Can you tell us from where User=DemoUsername is coming from when you generate the export url ? What do you click on to get this parameter ? Is this a ‘transfom’ function ?

    The Contactic team

    Hey,

    That’s just an example field which you could use to provide a user a feed of their submissions, you would need to filter results for that user only and so as an example, I have assumed there is a column in the form names ‘User’, which stores the Username of the user.

    The issue is when you create the export link, all somebody needs to do is remove this filter from the url and then they can export all of the forms data.

    I would be keen to know if there is a plan to make this less vulnerable.

    • This reply was modified 5 months, 3 weeks ago by Fabbstar.
    Plugin Author contactic

    (@contactic)

    Well… i think that we can’t talk about a vulnerability here since we are arguing about a filter someone could remove… or not. And a filter… well… does his filtering job when it’s present… or not.

    Anyhow, i think that you would be interested in a feature, capable of generating obfuscated export urls (with a filter inside) that you would share with someone. And this obfuscated link would obviously not be altered (cause it would be a unique string… refering to a particular export)

    Am i right ?

    [ Signature deleted ]

    • This reply was modified 5 months, 3 weeks ago by contactic.
    • This reply was modified 5 months, 3 weeks ago by Jan Dembowski.
    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Side note to @contactic Thanks for the great support but please lose the signature. That’s prohibited in these forums as it’s been horribly abused in the past by others.

    The Contactic team

    Yes, bad people ruin it for others. No, I am not kidding. Please refrain from that.

    https://wordpress.org/support/guidelines/#avoid-signatures

    Plugin Author contactic

    (@contactic)

    @jdembowski : got it and makes sense 😉

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.