Security issue on self service portal

Wayne Richmond
Tera Guru

I have created a new application for out legal team that has its own CMS self service portal. During testing I they identified a potential security issue whereby a customer is able to see other customers requests. This only occurs when they Update their request having been sent there via a link/mail script in a notification or using a link in a List menu (called Recent Requests). If they navigate to their request via the navigation menu > My Requests > open a request > Update > they return the list of their requests as normal. The pages have different URLs and I'm not too sure why...

 

This is the url the customer gets from the notification email: https://oxfamprod.service-now.com/legal/legal_detail.do?sysparm_document_key=u_legal,aa7989822c24e90...

This opens the record. Once they click Update they see all records, not just theirs.

Likewise, if they click a link to their call in the Recent Requests List they go to this url https://oxfamprod.service-now.com/legal/legal_detail.do?sysparm_document_key=u_legal,aa7989822c24e90...

 

This link from the navigation menu takes them to their list of records: https://oxfamprod.service-now.com/legal/requests.do

Below is the link to the same record as above but the url looks significantly different to me

https://oxfamprod.service-now.com/nav_to.do?uri=u_legal.do?sys_id=aa7989822c24e9043ed6e30fe47aec0f%2...

Once they Update the record as before, they return to the previous page and only see their records.

 

I'm struggling to see where the issue is. I know that's probably hard to follow without seeing it in action. I hope someone can help!

 

Thanks


Wayne

1 ACCEPTED SOLUTION

Hi Wayne, there should be a similar ACL rule for "read" access to your table, which is where you can add the javascript:gs.getUserID() condition. This way, the user will see a truncated list when they click Update, with a message underneath stating that a number of records have been hidden due to security restraints.



Alternatively, you could configure the notifications to point to a custom view for these records by adding the sysparm_view parameter to the hyperlink. You'd then need to create a custom UI Action for your table that would replace the global Update button. This action can be set to only appear on your custom view, so that when the user accesses a ticket from a hyperlink, clicking the Update button will take them to a place of your choosing, such as "home.do", etc. See the following article:



UI Actions - ServiceNow Wiki


View solution in original post

10 REPLIES 10

conmic
Mega Guru

Hello Wayne,


this is all depending on the ACL conditions that you have set on your table, so this behavior is normal. If users can see records that they should not, you need to adapt the ACLs accordingly. But be careful to test this changes properly in a Dev instance first as it can be really messy.



On the other hand what you experience with the Link is probably the URL property 'sysparm_stack' within the 'legal_detail.do' content type.


Go to Content Management -> Content Type and open the according content type that is assigned to the 'legal_detail.do' page. Then search in the Detail Template section for the mentioned sysparm_stack property. This property defines basically the redirection once a record is exited (iso updated).


You can find more details about it here: http://wiki.servicenow.com/index.php?title=Navigation_Stack


Hello Michael,



Thank you for the reply. I was able to amend the 'sysparm_stack' property as you described which has offered a useful workaround, however if a user was able to direct themselves to the other link they would still be able to see other records.



I have looked at the ACL for Incident to see how users' records are secured from one another, however I cannot see anything specific in there. There is a record that states 'You can update an incident if you opened it, or if you are the caller of record', it has the 'javascript:gs.getUserID()' script to set the user info, however this has the Write property and more importantly is inactive!


It my experience of the ACLs I have only seen entries for roles (including public) but nothing user specific. Do you have an example in your instance?



Thanks you again


Hi Wayne, there should be a similar ACL rule for "read" access to your table, which is where you can add the javascript:gs.getUserID() condition. This way, the user will see a truncated list when they click Update, with a message underneath stating that a number of records have been hidden due to security restraints.



Alternatively, you could configure the notifications to point to a custom view for these records by adding the sysparm_view parameter to the hyperlink. You'd then need to create a custom UI Action for your table that would replace the global Update button. This action can be set to only appear on your custom view, so that when the user accesses a ticket from a hyperlink, clicking the Update button will take them to a place of your choosing, such as "home.do", etc. See the following article:



UI Actions - ServiceNow Wiki


Thanks Adam, I've applied that and it works a treat. Much appreciated!