Skip to Content

Security alert

BMC has discovered a potential security risk in FootPrints that requires your attention and action that affects FootPrints version 12.1.02 and later. This issue is being addressed now and will be fixed tentatively in FootPrints version 12.1.07.

Risk

Under a specific set of circumstances, an unauthorized user can view and edit data for the record types for which they do not have explicit permission.

An unauthorized user can view or edit data for a record type for which they do not have permission, when all of the following conditions are true:

  • The user has a valid login ID and password for your FootPrints system.
  • The user has access to a workspace that contains multiple record types.
  • The workspace contains a record type for which the access has been neither explicitly granted nor explicitly denied to the group to which the user belongs.
  • The user has received an email message that contains a URL link of the record in the workspace or already has the URL.

If any one of the above conditions are not met, the user does not have access to unauthorized records.

Overview of solution

To eliminate the risk of users gaining access to unauthorized data, you must ensure that rights for each record type are explicitly granted or denied for each group in your FootPrints system.

Workaround

The issue causes the system to apply default item permissions for a case when the item is not enabled for a container role. This means that even though this item is not available for users owning this container role in the application, such users still have permissions to view and edit item records with help of external integration, such as an email message or a web service. This applies to every container type in the system.

For example, a customer has Service Request item disabled for the Customer container role. Even though the customer can not see Service Request in the FootPrints application, if they receive an email message that contains a link to a Service Request, they can click the link to access the Service Request and update it.

To protect the system from unexpected user actions, please perform the following actions:

  • Enable every container item for the role:
    image2017-5-12 16:34:7.png
  • Manually disable view, edit, and delete item permissions for items that you do not want the users with the assigned role to access:
    image2017-5-12 16:34:22.png

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

FootPrints 20.23