One of the main reasons for executing code in the backend is so that we keep or database IDs confidential when making queries to them or inserting data to them, etc.
WIX is console logging these database IDs on live sites even if we do not have them referenced on the front end page code. This makes the databases vulnerable to attackers.
For example in google chrome web browser if we press CTRL+SHIFT+J and view the console log you will see your database IDs logged as your browse through your live site.
Why are WIX console logging sensitive information like this ?
I just tried this and I don’t see any DB information being logged. Do you have console.log() statements in your code?
@yisrael-wix
No I don’t have any console logs myself. If you go to my live website you will see the databases used in my backend code being logged in google chrome’s console
@mikemoynihan99 I can’t debug the whole site, but from what I see of the postrant page, the components (e.g. filter dropdown) are being populated before the user has signed in. Since the access for the airport collection is defined as read for site member only , a console message is displayed stating that access to the collection is denied. If the user is signed in, this console message will not be displayed. In any case, the only thing that’s being revealed is the name of the collection. I’m not saying that’s OK, but it’s not the end of the world. The messages are only displayed as a result of an error condition.
You also have a number of fetch errors displayed in the console for a signed in user. If the fetch code is corrected these messages won’t be displayed.
@yisrael-wix
Yes that is correct i am populating dropdowns on the page from a database query in the backend. Only members have access to the databases, so when a non member opens the webpage Wix exposes the collection IDs by posting a message in the front end stating to the user that they do not have permission to access the particular databases.
Again to my original point the backend collection ids should not be revealed in the console as this makes them vunrebal to attackers.
I also noticed that it is possible to expose the id for a collection connected to a dynamic page by navigating back and fourth to the dynamic page. In this scenario there does not even have to be an error message being posted to gain access to the database id.
@mikemoynihan99 The collection names wouldn’t be exposed if the dropdown was only populated if and when the user was signed in. Attempting to populate the dropdown when the page is ready causes the error (which included the collection name) to be displayed.
As far as the dynamic page issue, I’ll pass that on to QA for evaluation.
1 Like
@yisrael-wix
Just because someone is logged in does not mean they have the necessary permission to access a database.
Granted in my particular case I could get around the vulnerability by executing the population code after running some front end code to check if the user is logged in as all my members are granted access to that database.
However security measures should be more robust than running a front end check if the user is logged in. I’m sure it would not be hard to by-pass a front end check such as that and expose the database id once again.
I see no valid reason as to why WIX would post an error message containing info from the backend. Info from the backend should not be allowed to leak into the front end like this.
@mikemoynihan99 Wix displays this information since it’s an error and needs to be fixed. Without the proper information, the programmer would have no idea what to fix.
You are right, code would be needed to fix this. Security is not an easy subject, and unfortunately it’s a nasty world out there.
The best solution would be to use routers which are demonstrated in the Stripe Payment Processing example.