Submitted form data is visible publicly

When accessing the URL of a submitted form, users are not prompted to log in. Once the URL is obtained after logging in, it can be accessed from other browsers and workstations by non-logged in users.
 

The forms have a random key associate with each form.  These are non sequential and wont be something that people could logically guess.  That key is a web standard for security.

 

Steps to Duplicate

  1. Click on Site Explorer > Forms
  2. Select the Data tab
  3. Click the link for any student application
  4. Copy the URL, and paste into a browser where you are not logged in
  5. Note that the form is visible, and does not prompt for a login
Alternatively:
  1. After submitting the form, click the link to View/Download the form
  2. Copy the URL, and paste into a browser where you are not logged in
  3. Note that the form is visible, and does not prompt for a login
The Form URL looks similar to http://www.myurl.org/htmlpreview.aspx?key=10052fcc-5b7f-4ff593hgjf-6e4585b16310&title=formEntry or https://www.myurl.org/form?cid=214894yf&ftp=3e5f7954-70af-436e-b1a1-d359fh642639d0b&fetp=a2308716238a-7a39-4915-a9a2-043be5167e13

Environment

 6.58.806 patch 3

Was this article helpful?