Preventing Unauthorized Access to BizForm Data and File Attachments in Kentico

Venkata Chakali asked on January 21, 2024 19:37

Hello Kentico community,

I've identified a potential security vulnerability in Kentico 13, where end users can access BizForm data and associated file attachments through direct URLs, compromising the confidentiality of the data.

Has anyone encountered a similar security concern regarding unrestricted access to BizForm data? What are the recommended measures or best practices to secure BizForm data and prevent unauthorized access to file attachments via URLs? To provide a clearer context, the vulnerability allows users to access data, including file attachments, through URLs like: mydomainUrl/BizForm/guid?filename.jpg/pdf/formdata

Any guidance or solutions on mitigating this security risk would be highly valuable.

Recent Answers

Juraj Ondrus answered on January 22, 2024 06:00 (last edited on January 22, 2024 13:10)

What are the steps to reproduce this issue using out of the box installation? I tried it just now and I am getting 403 error as expected. The bizform files should be available to signed in users only by default. Have you changed the module permission or any other configuration? Not only in Kentico but in IIS, environment, etc.? Where is the "BizForm" part coming from? Is it your custom form files folder set?
Isn't it possible there is some custom code in place? That does not sound like a default system URL used for serving bizform files.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.