Hello.
We have the following problem. I block all permissions for Public and user must register for buy, but order details and invoice are public and searcheable in Google. You can check if put following URL for example: http://www.parapandaecorock.com/index.php?option=com_virtuemart&view=invoice&layout=invoice&tmpl=component&virtuemart_order_id=92&order_number=LUBB076&order_pass=p_soNmwxeK
Can someone help me please?
There is nothing listed on google.
https://www.google.de/search?num=50&q=www.parapandaecorock.com%2Findex.php%3Foption%3Dcom_virtuemart%26view%3Dinvoice&oq=www.parapandaecorock.com%2Findex.php%3Foption%3Dcom_virtuemart%26view%3Dinvoice
We have the same problem!
When searching on Google for "ftsu bestilling" you get this:
https://www.google.dk/search?q=ftsu%20bestilling&oq=ftsu%20bestilling&aqs=chrome..69i57.6984j0j8&sourceid=chrome&ie=UTF-8
The first 2-3 hits are actual live invoices from our webshop.........
I really need to find out how to solve this!?!
I hope someone can send us in the direction what to do?
Thanks
Finn
Quote from: acuabit on January 10, 2017, 13:39:47 PM
Hello.
We have the following problem. I block all permissions for Public and user must register for buy, but order details and invoice are public and searcheable in Google. You can check if put following URL for example: http://www.parapandaecorock.com/index.php?option=com_virtuemart&view=invoice&layout=invoice&tmpl=component&virtuemart_order_id=92&order_number=LUBB076&order_pass=p_soNmwxeK
Can someone help me please?
Have you found a solutions for this?
We have the same problem.....
Finn
you provide the order password within the link and so you can open the order. We hardened this part a bit, you may install http://dev.virtuemart.net/attachments/download/1029/com_virtuemart.3.0.18.6_extract_first.zip
Hi,
today we were asked to have a look at a VM shop with the same problem.
The shop was running on 3.16. We updated to 3.18. Is that issue solved or do we have to take further steps?
thanks
Frank
WERK70
You need to test this all for yourself - maybe the joomla site was hacked and ACL is incorrect?
We have the same issue in our shop, ang googling any existing email on any customer and clicking on the google search links resulted that mention our shop get directly to the orders or print pdf invoices without asking to log in... we find this as being a huge whole for confidenciality...
any fix for this ?
regards
sorry I forgot to mention that we have last versions of joomla 3.6.5 and VM 3.0.18 running on a shared server with php 5.6
on how force any VM entering to be logged in will be much appreciated....
or if there is a patch for only the ones who worry about this ??
any comments will be much appreciated
You must check your ACL settings.
Many websites that did not get updated to Joomla 3.6.4 and then to 3.6.5 within a suitably short time ( even a few minutes) of the release of the official patches were at risk of being hacked, as the method of hacking was also released on the net at the same time (or even slightly before) the official patch release time. I have had to repair some sites that had been hacked, in two cases they were updated supposedly within one hour of the patch release but still got hacked. One of the hacks we have seen was to allter Joomla ACL settings, so please check this, just in case.
QuoteWe have the same issue in our shop, ang googling any existing email on any customer and clicking on the google search links resulted that mention our shop get directly to the orders or print pdf invoices without asking to log in... we find this as being a huge whole for confidenciality...
any fix for this ?
NOTEVirtueMart does
NOT allow such a feature by default. From a privacy perspective it would be ridiculous for it to do so!
Therefore there is something within your settings of Access Control managed by Joomla that is allowing access to administrator/manager or registered users functionality by non registered users.
You can read more about it here
https://docs.joomla.org/J3.x:Access_Control_List_Tutorial (https://docs.joomla.org/J3.x:Access_Control_List_Tutorial)
If you do not know what I am talking about - or have never set any ACL settings in Joomla then it is very likely that you were subject to a security exploit.
https://www.joomla.org/announcements/release-news/5693-joomla-3-6-5-released.html (https://www.joomla.org/announcements/release-news/5693-joomla-3-6-5-released.html)
There is no VM patch for any of this - it was/is not a VM issue.
Please review your current installation, assuming that there is something wrong with this - because VM does not allow access to user data by any user, regardless of the version.
just out of curiosity and for clarifying...
If impacted by this, the problem would be that the different ACLs for items in the virtuemart entry on Global Configuration have incorrect settings (due to hack, exploit, etc...)?
@jenkinhill, you said "One of the hacks we have seen was to allter Joomla ACL settings, so please check this, just in case." - for virtuemart, or for each and every entry on the left panel of Global Configuration... ?
thanks
david
Each and every ACL option was green on the website we saw, and there were 8 users listed with administrator access who had not been added by the site superuser. We have no idea exactly how this was done, but the database must effectively have been accessed/altered and the whole site compromised. The only option was to revert to an earlier backup, and update Joomla and extensions on localhost before publishing to the live server. This was not a VM site, so there was no possibility of orders being lost etc. It was only spotted by the owner because the edit symbol showed on FE articles and modules without being logged in.
Stop
Quote from: K&K media production on January 10, 2017, 18:23:58 PM
There is nothing listed on google.
https://www.google.de/search?num=50&q=www.parapandaecorock.com%2Findex.php%3Foption%3Dcom_virtuemart%26view%3Dinvoice&oq=www.parapandaecorock.com%2Findex.php%3Foption%3Dcom_virtuemart%26view%3Dinvoice
Search result in cache:
http://webcache.googleusercontent.com/search?q=cache:4qoKqg1JsycJ:www.parapandaecorock.com/index.php%3Foption%3Dcom_virtuemart%26view%3Dinventory%26tmpl%3Dcomponent%26manage%3D1&num=1&hl=fr&gl=fr&strip=1&vwsrc=0
Each time someone reported me such problem you find some working links and this mean that someone hacked the site or you update from a old Vm release and the ACL was not set on update.
I think that orders that have a valid Joomla user should not be accessible from direct link, this prevent already some hacks if you don't use anonymous order.
All order page links should be set to rel="no follow"
and head meta
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
So you have not your orders displayed in google or other search bots that respect some rules.
Good morning,
we checked the ACL and as predicted it was compromised. Lots of users that should not be there. Some of them and some customers were labled as administrators and superusers. Even the password for the dB has been changed.
As we don't run this site on our own nor do we update this site and the site owner doesn't want to pay a cleaning, we'll pass the problem back to the site owner.
thank you for the information.
Frank
Thank you for the update -
If that is their approach - IMHO The site owners should not be allowed to handle personal data
This is really weird!
I don't get it........ all my ALC settings "looks red" -- that if is I am looking at the rigt place
My problem - and I need it solved is, that on Google you can find this link. And it shows a complete list of all orders in Virtuemart - BACKEND!
No login needed - one just get the list of orders..... straight from the browser
[Mod edited: Link deleted - no point in inviting hackers in! Yes the site is wide open with a full front end view or orders, inventory, configuration as well as other areas. ]
How on earth do I fix this? This is wide open?!!?
The virtuemart IS updated to latest version 3.0.18 and Joomla is lastest version 3.6.5
I need help
Thanks
Finn
Thanks for removing the link. Stupid me
But how do I fix it that access to the orders backend are wide open?
I have no idea how this was set, so the site is wide open
Do I need to reinstall Joomla and Virtuemart completely?
Could the cause to the problem also be in the database? If I need to reinstall, then we have a lot of data in Virtuemart that we would really not like to loose...
Tyr to get files from http://dev.virtuemart.net/projects/virtuemart/files and get 3.0.18.6, 3.0.18.8 or last beta.
Check your Joomla config permission for Virtuemart and check and remove any super user (and admin) that you don't know.
If you have been compromised - it may be that there is more to it than just the ACL settings
SO consider carefully how you recover from this state. Just changing ACL may not be enough.
So what else than ACL - and where?
Do I have to reinstall everything and start over?
Thanks
Quote from: AH on March 06, 2017, 11:56:05 AM
If that is their approach - IMHO The site owners should not be allowed to handle personal data
I agree but I can't force them.
We found an old akeeba backup on their webspace which was not compromied and re-installed it. Then we told them, if they are not willing to backup und update their system (we offer this for moderate fee) then they should never come back and ask for help.
QuoteSo what else than ACL - and where?
Do I have to reinstall everything and start over?
Why not Clear out all the server directories and dbase tables and restore from a backup of files and database?
THIS ISSUE IS NOT FIXED!
It is NOT a permission issue! It is a bug in Virtuemart ;)
PHP: 7.1.3
Joomla: 3.6.5 (newest)
Virtuemart: 3.2.1 (newest)
I am still able to find customer invoice PDF's by searching there email in Google. I have a test example if needed.
Please view these two images as well.
probably hacked before update.
when does this date from ?
checked on mine (specs in sig) and no finding in google.-> not an 'always' bug if bug it is...
Virtuemart ACL : add RED everywhere except for superusers.
try to find from when date the hits in your google search... ?
I can confirm that the Virtuemart ACL is correct and that all are RED everywhere except for superusers.
The hacked part is very unlikely due to is having recently been reinstalled and setup. Also the site has a very high security level, extensions, regular checks/scans and such.
This leaves the part of your suggestions regarding dates, BUT in my mind this is not possible. There is NO SITUATION where public should be able to view PDF's without a login. This even goes for URL's with encrypted or hash values and such. So in my mind it is a bug that it is even possible regardless of this or ACL.
Hello
I have checked Your invoice and I can see that the order is created 2016-09-12 and that the invoice was created 2017-02-15. When did You update VM ?
Does this also happen when You google newly created orders and invoices ?
regards
Jörgen @ Kreativ Fotografi
It is regularly updated. Just before Christmas, February and last time was yesterday.
It does not matter when it was updated in my mind. There is NO scenario where:
1. Invoices should be allowed to be indexed by Google. Ever.
2. These should not be allowed to be viewed by other than the owner (after login). Ever.
Both would be breaking the person data law. Both would mean Virtuemart is not legal in the entire Europe.
So clearly there is a bug with both problems...
Hello
I have not written the software, I am only trying to help. And Yes It does matter if when it was updated. You are giving an 7 month old order as an example. If it has been indexed 7 month ago a new version will not stop this, because it seems like the password for the invoice is included in the indexed URL.
I asked if You can Do the same with new orders ? If the problem has been rectified, then there is only an issue for old invoices, not new ones.
Maybe someone else can give You more help
Jörgen @ Kreativ Fotografi
Thanks :-)
A quick test reveals that there at least are some until 16. of February 2017. I have not looked further than this.
The problem about newer examples is that it takes time for Google to show new pages. So we can perhaps never show a truly fresh example.
What I am looking for right now is simply a way not to be able to download the PDF unless logged in. But can't find the relevant code in order to do this.
Hello
Check the Url for Reading the PDF. The virtuemart View is shown there.
regards
Jörgen @ Kreativ Fotografi
Sadly no....
?option=com_virtuemart&view=invoice&layout=invoice&format=pdf&tmpl=component&virtuemart_order_id=**********
The view is invoice. So far so good, but there is no specific area for format pdf, resulting in the changes also destroys the normal invoice format.
Hello
You can check for pdf like this:
$invoiceformat = vRequest::getCmd('format','');
if ($invoiceformat == 'pdf') {
Your code here
}
If think You get what I mean :)
Jörgen @ Kreativ Fotografi
You can check for referer using PHP $_SERVER['HTTP_REFERER'] to eliminate outside call and redirect to your index if this are from google search or other boot.
Hello Patrick
But as I understand this is a legitimate call, then the customer would not see the invoice either. How can we stop making this call get public? Only the customer should get this right. I thought this was fixed, right ? So we only have to take care of old invoice download requests, or am I wrong ?
regards
Jörgen @ Kreativ Fotografi
Jorgen, i think it's possible to filter comming from Google using HTTP_REFERER, so user comming from email have note same HTTP_REFERER.
I only gave this sugestion, of course if you don't filter corretly you stop user acces.
Anotehr possible filter, is to check if the order have a Joomla user account associate and force user login.
I think using the 2 system should stop most possible access and google.
You can use another system using an existing value as customer name for eg, so external cannot access to order if they don't know the customer name.
This can be done using a system plugin for eg.
Thank You Patrick
But right now it would be interesting to know why this is indexed by Google. I got the impression that Max had blocked that possibility. Is this something that only happens when You have Google analytics installed ?
best regards
Jörgen @ Kreativ Fotografi
Hello.
I have complains from a customer related to this issue. Privacy is compromised because PDF orders and delivery notes can be downloaded by anyone who finds the link on a Google search.
Please give us some guide to modify the code in order to force login when attempting to open the download link.
Thanks in advance for your help.
Regards.
If you have site security set up properly they cannot be indexed and certainly cannot be dowmloaded without first logging in as the shopper.
QuoteIf you have site security set up properly they cannot be indexed
It might be useful for others for you to expand on this comment.
With the advent of GDPR in May 2018 - this may be considered a notifiable breach of data
Thanks for your answers.
Can you clarify how that security level could be achieved to avoid direct download and Google indexing. At least general guidance would be useful.
Regards.
Quote from: javerleo on July 23, 2017, 17:52:32 PM
I have complains from a customer related to this issue. Privacy is compromised because PDF orders and delivery notes can be downloaded by anyone who finds the link on a Google search.
This is not possible with current VirtueMart versions unless the site ACL is incorrectly configured, or the site has been hacked and ACL compromised. There may be some historic links like that on Google - but I have yet to find any.
My security rules:
1. The use of a dedicated server or cloud VPS is very important. This gives you control which you cannot have with a shared server, so you never have to make do with old possibly insecure PHP versions etc..
2. Always keep software updated, and act instantly if there is a report of potential security issues with any element of a site. For security critical updates Joomla now issues a warning with the exact time and date when a patch will be released. At the same time as the patch is released the security body who found the potential issue are permitted to release that potential hack information into the wild. To me this is stupid, but much better that the securoity hole is first published before Joomla can start wotk on a fix. The security people get on-line kudos so may try harder to identify possible security isses in the future. I start updating my Joomla sites as soon as I can after a new version/patch is released, usually within a couple of minutes. "I'll do it tomorrow" is often no good - and too late.
3. For VirtueMart make sure to create the vmfiles/safe path directory below normal server root. With dedicated/vps you can do that, but most shared hosts do not permit this.
4. Make use of .htaccess as additional control of access to directories.
5. Use robots.txt to limit googlebot to indexing only those areas you want it too. Use url bocking as well. Good tips on https://support.google.com/webmasters/answer/6062608?hl=en
6. If possible always run VM websites under SSL - good for SEO as well as customer security.
There are various firewall protocols that may be used in addition, listed on the JED, but I have never felt the need for these. I do make use of plugins to attempt to prevent sql injections or brute force admin password attacks - never use the default "admin" user as the site superadmin is so simple to do. I use these extensions, other will have their own preferences:
https://github.com/codeling/bfstop
http://www.mmleoni.net/sql-iniection-lfi-protection-plugin-for-joomla
Thanks jenkinhill for your comprehensive answer.
Generally speaking, I'm aware of these general security measures. However, what I need to know is how to solve the ACL issues, since I'm still facing the problem of public direct PDF order download.
Regards.
Hello.
Let me explain my issue with more detail:
Joomla 3.7.4
Virtuemart 3.2.1
There are a lot of Google results that allow ANY internet user to download Virtuemart orders in PDF format. The links look like this:
mystore.com/index.php?option=com_virtuemart&view=invoice&layout=deliverynote&format=pdf&tmpl=component&virtuemart_order_id=715&order_number=XYZ34343&order_pass=p_3r534&d=2
WHAT I HAVE DONE:
Created a redirect rule via PHP code at the beginning of the main index.php (bad idea since it will be removed with updates. Where should I put the code?). Now all the Google links redirect to the site homepage (checking HTTP referral).
Now the big question:
How did Google indexed those orders in the first place?
I checked Virtuemart ACL permissions: Everything is red, except for superadmins
Virtuemart safe path is a folder outside public_html (this is a Cpanel account)
No signs of hacking
I don't know what else to check.
So the question is :
How to avoid Google to index future PDF orders ?????
Thanks in advance for your suggestions.
Tyr in .htaccess
#Activate rewriting
RewriteEngine On
#disable access from google
RewriteCond %{HTTP_REFERER} google\.com [NC]
RewriteCond %{QUERY_STRING} ^view=invoice
RewriteRule .* - [F]
You can use similar using the user agent
RewriteCond %{HTTP_USER_AGENT} AltaVista [OR]
RewriteCond %{HTTP_USER_AGENT} Googlebot [OR]
RewriteCond %{HTTP_USER_AGENT} msnbot [OR]
RewriteCond %{HTTP_USER_AGENT} Slurp
RewriteCond %{QUERY_STRING} ^view=invoice
RewriteRule .* - [F]
See for eg. https://www.htmlremix.com/seo/block-google-and-bots-using-htaccess-and-robots-txt
Some more info http://www.inmotionhosting.com/support/website/restricting-bots/how-to-stop-search-engines-from-crawling-your-website
Note : i don't tested the rules
Thanks Studio 42.
I will try to use .htaccess directives instead of PHP custom code to redirect the unwanted Google links. On the other hand, I still can't find a way to stop Google indexing the PDF orders. This store uses Cloudflare CDN for caching. Could it be the origin of the problem?
Best regards.
Quote from: javerleo on July 26, 2017, 22:15:21 PM
This store uses Cloudflare CDN for caching. Could it be the origin of the problem?
Very much so. A lot of people have had cart problems using Cloudflare which presents url caching issues. There is no reason to use a CDN for a store site. If site speed is the issue then use a faster, more resourced host.
Thank you jenkinhill.
I will take your advice.
Regards.
QuoteCreated a redirect rule via PHP code at the beginning of the main index.php (bad idea since it will be removed with updates. Where should I put the code?). Now all the Google links redirect to the site homepage (checking HTTP referral).
Adding an .htaccess rule to redirect links is fine
But your registered customers will no longer be able to view their invoices when they sign in to their account
Actually seems to have been fixed now - so it does look like this was a bug in virtuemart/joomla
Tom