Author Topic: [false alert; disable Cache]Security Bug - Other user details exposed.  (Read 2442 times)

WebStuff

  • Jr. Member
  • **
  • Posts: 174
  • Time Is Precious, Waste It Wisely
PHP 5.4.6
Joomla! 2.5.11 Stable
Joomla Platform 11.4.0 Stable
VM 2.0.20b
No caching at all.
VM SEO on
JoomSEF

I was running a quick test on my live server today and added a product to the cart and went to cart page. Clicked the "Check Out Now" button which took me to the "add address, register or guest checkout form". At this point I pressed Cancel and was returned to a cart however it was not my cart it was in fact a customers who had just placed an order. All their address, email and phone details plus their cart contents were shown to me. I pressed refresh and was returned to my cart.
It was almost like it picked the wrong session to return me to.

I have not been able to recreate this but it is extremely concerning.

Thought I'd better let someone know.  :)

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 10283
  • VM3.9 Eagle Owl
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: Security Bug - Other user details exposed.
« Reply #1 on: June 12, 2013, 20:04:48 pm »
This is really strange.

You are sure that there is no cache? Usually that happens only, when you cachen the cart. Yes, I see that you know that.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

jjk

  • Global Moderator
  • Sr. Member
  • *
  • Posts: 3746
  • using Matomo instead of Google Analytics
Re: Security Bug - Other user details exposed.
« Reply #2 on: June 12, 2013, 20:19:54 pm »
Did you check JoomSEF cache, too? Default is enabled. (Personally I think with Joomla 2.5.x and VM2.x there is no need for another SEF extension)
BTW - Here is a nice article about Joomla's cache features: http://www.theartofjoomla.com/joomla-caching-explained.html
Non-English Shops: Are your language files up to date?
http://virtuemart.net/community/translations

luizwbr

  • 3rd party VirtueMart Developer
  • Beginner
  • *
  • Posts: 28
  • Brazilian Programmer
    • Loja Weber Ti
  • Skype Name: luizwbr
  • VirtueMart Version: 2.6.10 - 2.9.9
Re: Security Bug - Other user details exposed.
« Reply #3 on: June 13, 2013, 14:30:47 pm »
Hi.

I went through the same problem when the cache the active site. In my case it was set to "file".

eg:
"website.com/cart.html"

I tested with 2 browsers on the same ip on different computers. I added a product to the cart in my browser and the other browser the same product appeared.

To fix this, I modified the plugin CacheControl to clear the cache when in view of the cart.

option=com_virtuemart&view=cart
I went through the same problem when the cache the active site. In my case it was enabled to "file".

eg:
"website.com / cart.html"

I tested with 2 browsers on the same ip on different computers. I added a product to the cart in my browser and the other browser the same product appeared.

I modified the plugin CacheControl to clear the cache when in view of the cart ( clean the cache using cacheCleaner plugin ):

Code: [Select]
function onAfterRoute(){
           
            if( $this->checkRules() && JFactory::getApplication()->isSite() ){
                $this->caching = JFactory::getConfig()->getValue('config.caching');
                JFactory::getConfig()->setValue('config.caching', 0);
               
                include_once JPATH_ROOT.DS.'plugins'.DS.'system'.DS.'cachecleaner'.DS.'helper.php';
                // carregar parĂ¢metros plugin
                $plugin_cc = JPluginHelper::getPlugin('system', 'cachecleaner');
                jimport( 'joomla.html.parameter' );
                $params = new JParameter($plugin_cc->params);

                $cch = new plgSystemCacheCleanerHelper($params,'clean',0,0);
                $cch->cleanCache($params,'clean',0);
               
            }
        }

Maybe if had a way to disable the cache only in view=cart or if we could pass a param like ?time=123456789 by VM default it could fix this problem.
http://virtuemartbrasil.com.br - Brazillian VirtueMart official Support Group
http://loja.weber.eti.br - Paid Plugins for Virtuemart Brasil
https://www.facebook.com/groups/virtuemartpro/ - Brazillian VirtueMart group on Facebook

WebStuff

  • Jr. Member
  • **
  • Posts: 174
  • Time Is Precious, Waste It Wisely
[SOLVED]Re: Security Bug - Other user details exposed.
« Reply #4 on: June 14, 2013, 10:11:36 am »
Okay think I've solved this. I'm using JTouch template for Mobile which doesn't honour the Joomla Cache Settings and uses it's own settings but uses the Joomla cache folder and files.
So even though I was looking at the page on a Normal Desktop it was showing me info from a cached mobile phone session from the, now in use, Joomla cache.
I have disabled the cache in JTouch and all is well again.

Sorry for the false alarm.

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 10283
  • VM3.9 Eagle Owl
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Seems jtouch and vm does not work well together, look here http://forum.virtuemart.net/index.php?topic=116345.msg392562#msg392562
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/