Archive: Need quick fix to a php secure portal
Budget
500$
per month
Posted: 5 years ago
Closed
- Description
- Many years ago, I had someone set up a secure file portal which has been working fine for years but today, I got the following shocking email from a user that it isn't secure!
******************
While uploading the documents for our 2018 taxes I found a severe vulnerability in the web portal that allows anyone signed in to access any other client's files. I'll explain how below. This is not an obscure issue and does not require great technical expertise to uncover, though I do work in tech for a living and have a lot of experience building and maintaining secure systems. I urge you to fix this as soon as possible to prevent your clients from being the victims of identity theft as a result of this vulnerability.
As to how I found the vulnerability, I noticed that the URL for the file browser contained an ID, which in our case is 3606. Whenever I see an ID with an integer value it's a pretty good bet that value is from an auto-incremented database column where the first entry gets ID 1, the second ID 2, etc. This means that every number lower than the one you see (and probably ones higher too) likely has a record associated with it. In insecure systems where user authorization is not handled properly, simply knowing or guessing one of these numbers is enough to view / modify / delete the data associated with that number. Unfortunately, your portal is one such insecure system.
I tried decrementing the ID a few times and once I got to 3600 I was presented with a list of files that didn't belong to me, specifically for xxxxxxxxx, which includes a document titled 2018-6-27_CHICAGO TITLE_xxxxxxxx.pdf. I confirmed that I was indeed able to view the document as well, though I didn't save it and will not attempt to modify or delete it as I've seen enough to believe I would be able to do so. What's worse, writing a script to enumerate all IDs up to a sufficiently high number, say 10,000, and download all the associated documents for each matching record would be trivial. In other words, your portal makes anyone who uses it vulnerable to identity theft.
***************************
Needless to say, we need this fixed ASAP!!! I'm hoping this is a quick fix. The php files are on a Linux server running cPanel. It is not a complicated portal and it was set up probably 10 to 12 years ago so I'm assuming the files should be pretty basic.
Let me know if you have any questions.
Jeff
Working conditions:
Fixed Price
$250-$500
Skills:
php,web development
- Category
Similar freelance jobs
$7Hi Robert P. , I noticed your profile and would like to offer you my project. We can discuss any details over chat....
1 year ago
"Hello, I need to create a website based on a . psd design file. Please also specify the timeframe within which you can complete this. Technical requirements: Layout (not pixel-perfect, but close to it) Responsiveness (the website should properly adapt to different screen sizes and devices) Clean code......
1 year ago
Project Title: Delphi Code Feature Creation Using delphi: Check to see if this already exsits, if not: create a shedulled task to start my program on PC startup with highest permissions, with no password or prompt. program is called for example: C:\Program Files (x86)\Myfolder\myprogram. exe If it already......
1 year ago
I want to create a program for customers and sellers to be able to use, to create a template for there artwork and be able to size them to there specific needs. And be able to download them as pdf or png files. This program will benefit the clothing industry with the industry i am in....
1 year ago
Hi, I am not quite sure if what I am asking is possible but within my University degree there is a calculator program which only works on the HP Prime prime calculator, I own a Casio fx-CG50 AU. I was hoping to have this program converted into a format which is compatible with my Casio calculator, all......
1 year ago
I am looking for a skilled C++ developer to help with a real-time object detection system for my project....
1 year ago
Project Title: Correct Rcpp armadillo code Overview: I am seeking a skilled developer to fix a compilation error in my Rcpp armadillo code. The code is currently throwing a compilation error, and I need it to be resolved promptly. Requirements: - Proficient in Rcpp and armadillo library - Strong understanding......
1 year ago
Project Description: - I am looking for a freelancer who can combine all the columns of 2 rows with similar values in Telerik Reporting. - The combined data needs to be displayed in a table view. - Ideal skills and experience for this job include: - Proficiency in Telerik Reporting. - Strong understanding......
1 year ago
$250Bonjour Dmytro M. , j'ai remarqué votre profil et je souhaite vous proposer mon projet. Nous pouvons discuter des détails via le chat....
1 year ago
Hello, I am looking to develop a unity soccer game with moves like score hero 1. Map with 1-3 stars achievments 2. engine to make the goals like i want 3. smooth game play 4. IAP , shop , buy lives 5. lives to play 6. finger smoothness touch 7. the level will be added automticlly to the map 8. rewind......
1 year ago
Project Title: Bootloader For Renesas RL78 mcu Description: I am looking for a skilled developer to create a bootloader for the Renesas RL78 mcu. The ideal candidate should have experience with Renesas RL78 mcu and be familiar with the development environment. bootloader code is ready need help for run......
1 year ago
I am using EMA´s (50/75/100/200),two Stoch (5/5/5 and 5/3/3), RDX Indicator and the Indicator "The Arty". For Short Positions the Prive has to be under the 200 EMA (the 100EMA under 200, 75 under 100, 50 under 75, NOT crossing) and for Long Positions over the 200 EMA ( 100 over 200, 75 over 100, 50 over......
1 year ago
My project involves using an Emotional Stroop Task to measure and assess attentional bias towards emotional stimuli. To do this, I will be using the Drift Diffusion Model which is an analytical model to study the human decision making process. My study will need to include 90 participants in order to......
1 year ago
I'd like to extract tables from pdf invoices files. At this stage i really only want the products that are in the tables on the invoices. The only information i would like from the invoices is supplier date (received) location received. Within thetables i require stock code, product item, the unit measurement......
1 year ago
Im creating a config using 'openbullet 1. 4', everything added successfully, due i have 3 years of using openbullet, but this request i never faced it before!...
1 year ago
This position is responsible for verifying data quality reports and queries, correcting errors and also tracking them....
1 year ago
We are currently looking for developer to contact us on developing integration/plugin for below listed platform. Please drop me message on which plugin you're able to develop. Please send similar plugin portfolio of your previous work. The plugin need to ready for uploading to marketplace . ActiveCampaign.......
3 year ago
Similar freelance jobs
- Freelance jobs for Web Developer
- Freelance jobs for Database Developer
- Freelance jobs for Software Developer
- Freelance jobs for System Developer
- Freelance jobs for Game Developer
- Freelance jobs for Mobile App Developers
- Freelance jobs for QA & Testing specialist
- Freelance jobs for embedded software developer
- Freelance jobs for CRM & ERP developer
Drag