MS SharePoint security through obscurity



  • I'm glad to report that Microsoft continues to boldly go, where only the stupid have gone before (namely, themselves):

    So I'm admin'ing this intranet SharePoint site at work in my spare time, and have been asked to create a new view for one of the teams using the site when I ran across this gem in the "Create New View" page:

      View Audience:<font size="3"> </font>
      <input id="PersonalView0" name="Personal" type="radio" value="TRUE" /> <label for="PersonalView0">Create a Personal View</label>  
      Personal Views are intended for your use only. However, if given the correct URL, others may use, modify or delete your personal view.

     
      <input checked="checked" id="PersonalView1" name="Personal" type="radio" value="FALSE" /> <label for="PersonalView1">Create a Public View</label>  
      Public views can be visited by anyone using the site.

     (Bolded section is my own doing)

    So... wtf?!  It's my personal view, but if anyone else finds out the URL to it they can do anything they want?!  That, is why I do not intend to upgrade to Microsoft Vista.  This is SharePoint, interoperating with my Microsoft Office 2003 products, and yet they still believe security through obscurity is a good thing? Granted, it's just an intranet site, but c'mon, how hard is it to restrict users from editing each other's personal views?
     

     



  • Quick and easy way to set your co-workers up with a trojan, especially if they are using IE as well.  Do it right, and they'll just go on their merry way, while you get a nice log of MSN chatting to blackmail them with.



  • [quote user="RevEng"]Quick and easy way to set your co-workers up with a trojan...[/quote]

    Wait.. what? What did that have to do with anything? And I'm glad I'm not your co-worker.



  • I'm not sure this qualifies as security through obscurity. 
    This is more like a complete lack of consideration for security. 
    Which is probably a more common trait of Microsoft products than
    security through obscurity.

    Security through obscurity would be
    something like, "Malicious individuals probably won't figure out that
    we're storing the password in every third byte of the file, since we
    haven't published the file format anywhere."



  • Hey, that reminds me of something:

    "You can automatically log in by clicking This Link and Bookmarking the resulting page. This is totally insecure, but very convenient." - Slashdot profile page settings

    I think Personal Views are sort of informal right now because nobody seems to know quite what to do with them. They're sort of a solution looking for a problem, so until we know the problem, it's a little early to install security on it.

     



  • At least in this case they openly admit it's not secure. But still, top marks to MS for yet another product that's incomplete and insecure, yet still manages to be "the way to do things".



  • @CDarklock said:

    Hey, that reminds me of something:

    "You can automatically log in by clicking This Link and Bookmarking the resulting page. This is totally insecure, but very convenient." - Slashdot profile page settings


     True, but as soon as the password is changed, the link is invalidated (I tried it).
     


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.