function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
AlexHt1AlexHt1 

Security flaw? All attachments accessible to visitors

Do you use salesforce force.com site?

And do you have attachments on any of your objects?

If so, any visitor can access any of your attachments by typing this url in their browser.

http://{yoururl}.na14.force.com/servlet/servlet.FileDownload?file={attachment.Id}

All they have to do is guess the id. Which by the way is the easiest thing in the world to do since they are sequential numbers.

No authentication is required.

I just escalated a case to salesforce and they told me its working as intended o_O. I was told that since you can mark the attachments as "Private", no fix is required. Hovewer, marking the attachment as private essentials kills the attachment functionality because no one except the owner or the admin can read them.  Also, by default all attachments are public. 

This does not seem right secure at all to me. Is there a way to control the access to the attachements when you are using a force.com site?

 

If I give the read permission to the account object for the site user, I definetly do NOT want a random visitor to clean my salesforce organisation of all its attachment, zip them, then post them on some shade website. What if I attach a credit card PDF to an account?

AlexHt1AlexHt1
A secure system would not return the attachment based on the easily guessable Id, but would generate a unique random strings of characters associated with the attachment in question to prevent a trivial brute force attack from returning valid attachment.
SuperfellSuperfell

I've been unable to reproduce this. Do you have a case # i can look at ?
AlexHt1AlexHt1
Certainly sir. This is the case number:
Case Number: 09031212
ForcepowerForcepower
Alex, I presume that you have these attachments marked as available to Public. Is that correct?
AlexHt1AlexHt1

ram, that is correct. They are marked public because I need to share them within my organisation. Marking them as private makes it so only the owner and system admins can read them. This does not work since the attachments are medical reports and any healthcare personel need to access them. That is not the problem however. The problem is that anyone can guess the url by changing just 1 character. This is similar to the recent yahoo hacking where a mallecious user simply changed one or two characters in the URL and could access other people's emails.
ForcepowerForcepower
Got it. Thanks, Alex. I found that actually it does not matter whether you have the individual files as externally available or not. The security is actually controlled at the container folder level. While I agree that the download servlet can use some tweaking in terms of security, here is one thing I would try:

Edit the folder properties of the containing folder and set the access to all internal users - you have a bunch of choices here and will probably need to list all the roles within your Org that need access and restrict it to those roles. This works if all your users are "internal " to Salesforce i.e., not coming in thru' Force.com sites.
Ram
ForcepowerForcepower
It should also work for portal roles. Putting this restriction on the container folder should limit it to the roles specified. Coming in from sites to access the document directly will then show a blank page.
AlexHt1AlexHt1

Ram, I will give it a try. Can you give me a little bit of guidance with folders and attachments. I was aware that documents have a containing folder. But the attachment objects does not have a folderid field. Is there a default folder that every attachment gets put into? Or do I need to convert all my attachments to documents in order to use this solution?
ForcepowerForcepower
Alex, I'm not aware of containing folders for attachments or a way to restrict an attachment that has been marked as public to be restricted. You may need to look at changing them into documents and handle it that way. Hopefully there is a better solution than that.
Ram
AlexHt1AlexHt1

Thank you for offering this solution. However the nice thing with attachments is that they can be associated to an account, whereas documents are not. In the case of medical reports we of course want them to be associated to account and not just floating in the system.
ForcepowerForcepower

Alex, Sure - makes sense. Question - are accounts accessible from you Force.com Site? If they don't have to be, try making them No Read access on the site. That should prevent the attachments on accounts from showing up as well.

Ram
AlexHt1AlexHt1

Ram, the problem is that I am trying to make a access portal where physician can download their patients report. If I set the object that is containing the attachment to unreadable, this will defeat the purpose. What I have done is that I have created a custom object called report whose sole purpose is to hold the attachment. This object is set to unreadable. 

 

Then, I have created an amazon instance and coded a java remote access program to serve reports from the salesforce platform in a secure manner.
ForcepowerForcepower
Well - exactly what I arrived on yesterday when thinking through this. I created an attachment container custom object that can hang off of Account (or other objects). This object is not exposed through the portal thereby not allowing the attachment to be available in an unprotected fashion.

Best,
Ram