- Why the iPad Mini 7 is the ultraportable tablet to beat this holiday travel season - and it's $50 off
- The best iPads for college: Expert tested and reviewed
- One of the best mid-range sports watches I've tested is on sale for Black Friday
- This monster 240W charger has features I've never seen on other accessories (and get $60 off this Black Friday)
- This laptop power bank has served me well for years, and this Black Friday deal slashes the price in half
Thousands of NetSuite stores leak sensitive data due to access control misconfiguration
How does this lead to misconfigurations?
Let’s assume an administrator creates a CRT with “No Permissions Required.” In adding custom fields, he wants some fields to be readable by unauthenticated users, so he sets their Default Access Level to View; other fields that should not be readable, he sets Default Access Level to None, assuming the job is done.
This would be incorrect because the “Default Level for Search / Reporting” (DLSR) setting is still Edit, even if Default Access Level is set to None. And this, Costello shows, can be abused through the NetSuite API to read the data in that field. The confusion here could be caused by the fact that fields with Default Access Level set to None cannot have their data read through the SuiteScript API loadRecord function, which is part of the N/record module and contains the most popular functions for performing CRUD (create, read, update, delete) operations on individual records.
But there is a different API function called nlapiSearchRecord, part of the N/search module, that can also be used to read data from record fields, and the permission for this API is defined by the DLSR setting. The difference is that reading field values with nlapiSearchRecord requires knowing the field name, while reading data via loadRecord requires knowing the field ID. Luckily, the data obtainable from the two APIs complete each other.