Security of Deposit feature - reveals private information?

Hi,
testing the deposit feature before we roll it out in production and it appears the URL has no security, in that it's possible to just work through the URL incrementing registrant_id field until a valid id is found. This then displays the registrants personal details.

I'm testing on 3.3.0 and maybe it's been addressed, but is it possible to get a random identifier in the URL which is checked so that both the registrant_id and the random identified need to be provided? Or alternatively do not display any of the details of the registration?

Thanks,
Russell.

Hi Russell

This issue looks valid to me. To be sure, I guess you are talking about deposit payment form, correct?

Tuan

If so, for now, please make small modification to the code to prevent the form data is pre-filled to avoid this issue:

1. Open this file components/com_eventbooking/view/payment/html.php

2. Find this line of code in line 248 and comment it out

$form->bind($data, $useDefault);

That should prevent the form from being pre-filled with data and it would solve the issue for now. I will need to find a better solution later

Tuan

Yes, the deposit form shows the registration details which may (and often do) include personal details such as the address, phone number and email etc.

This would mean someone could just iterate through numbers and anyone who has only paid a deposit will have their information made available.

The easiest way around this is to have a password saved in the database and the URL has to include both the registration id and the password. The password could simply be a hash of the transaction id - but sure you'll work something out.

thanks!

OK. Please use the above workaround for now and leave this to me. I will come up with a solution

Regards,

Tuan

Hi Tuan,
the work around isn't really going to work because the form is now completely empty so people will try and fill in details. The form can't be left empty as it fails validation.

cheers,
Russ

Hi Russ

I sent updated version of the extension to your email which should fix this issue

Could you please update your site to that version, then check it again and let us know if it's working as expected?

Regards,

Tuan

Hi Tuan,
didn't receive email could you send direct to russ.noble at gmail.com ?

Do you happen to know which files changed? Just I've done our local customisations and don't want to have to do again if I could just copy the changed files?

thanks

Hi Russell

Better please submit a support ticket so that we can send you the version via support tickets

And Yes, I can send you list of modified files, too

However, if you customize the code, you should implement the customization as override so that you can still update to future releases of the extension

Regards,

Tuan