Icon View Incident Report

Serious Serious
Reported By: Anthony Ford
Reported On: 10/30/2014
For: Version 1.04 Build 1
# 4140 BLOB Load URLs Can Be Manipulated to Load Column Values for Rows Outside of the Defined DataSet

I have created a very simple EWB project for tracking expenses and a dataset in the EWB IDE which as a query using the CURRENT_USER to only show expenses for the currently logged in user. The log on credentials are input on the authentication form (and you fixed for me previously). All is working well until I started playing around with attachments, which are also working after a bit of additional learning.


This is what I discovered:


My dataset is defined as a query in the EWB IDE and and uses CURRENT_USER in the WHERE clause to filter only expenses for only the current user as also valid for the following URL in a web browser

http://localhost/datasets?dataset=ExpenseTracker&method=rows

However the command below to my surprise shows the attached PDF for a user other than the current user in the web browser.

http://localhost/datasets?dataset=ExpenseTracker&method=load&column=attachmentBLOB&row=30


Resolution Resolution
Fixed Problem on 11/2/2014 in version 1.05 build 1


Products Affected Products Affected
Elevate Web Builder
Elevate Web Builder Trial

Image