Author Topic: Order details and invoice are public and searcheable in Google  (Read 4335 times)

acuabit

  • Beginner
  • *
  • Posts: 1
  • A beginner
Order details and invoice are public and searcheable in Google
« on: January 10, 2017, 13:39:47 pm »
Hello.

We have the following problem. I block all permissions for Public and user must register for buy, but order details and invoice are public and searcheable in Google. You can check if put following URL for example: http://www.parapandaecorock.com/index.php?option=com_virtuemart&view=invoice&layout=invoice&tmpl=component&virtuemart_order_id=92&order_number=LUBB076&order_pass=p_soNmwxeK

Can someone help me please?


finngu

  • Beginner
  • *
  • Posts: 17
Re: Order details and invoice are public and searcheable in Google
« Reply #2 on: January 25, 2017, 15:58:20 pm »
We have the same problem!
When searching on Google for "ftsu bestilling" you get this:

https://www.google.dk/search?q=ftsu%20bestilling&oq=ftsu%20bestilling&aqs=chrome..69i57.6984j0j8&sourceid=chrome&ie=UTF-8

The first 2-3 hits are actual live invoices from our webshop.........

I really need to find out how to solve this!?!

I hope someone can send us in the direction what to do?

Thanks
Finn


finngu

  • Beginner
  • *
  • Posts: 17
Re: Order details and invoice are public and searcheable in Google
« Reply #3 on: January 26, 2017, 02:13:11 am »
Hello.

We have the following problem. I block all permissions for Public and user must register for buy, but order details and invoice are public and searcheable in Google. You can check if put following URL for example: http://www.parapandaecorock.com/index.php?option=com_virtuemart&view=invoice&layout=invoice&tmpl=component&virtuemart_order_id=92&order_number=LUBB076&order_pass=p_soNmwxeK

Can someone help me please?

Have you found a solutions for this?
We have the same problem.....

Finn

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 9418
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: Order details and invoice are public and searcheable in Google
« Reply #4 on: January 27, 2017, 23:44:34 pm »
you provide the order password within the link and so you can open the order. We hardened this part a bit, you may install http://dev.virtuemart.net/attachments/download/1029/com_virtuemart.3.0.18.6_extract_first.zip
I should fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

WERK70

  • Beginner
  • *
  • Posts: 6
Re: Order details and invoice are public and searcheable in Google
« Reply #5 on: March 03, 2017, 14:25:53 pm »
Hi,

today we were asked to have a look at a VM shop with the same problem.

The shop was running on 3.16. We updated to 3.18. Is that issue solved or do we have to take further steps?

thanks
Frank

AH

  • Global Moderator
  • Sr. Member
  • *
  • Posts: 2640
  • VirtueMart Version: 3.2.8
Re: Order details and invoice are public and searcheable in Google
« Reply #6 on: March 03, 2017, 15:18:16 pm »
WERK70

You need to test this all for yourself - maybe the joomla site was hacked and ACL is incorrect?

regards
A

Joomla 3.8.3
php 5.6 + php 7

quintangai

  • Beginner
  • *
  • Posts: 4
  • A beginner
Re: Order details and invoice are public and searcheable in Google
« Reply #7 on: March 03, 2017, 17:50:11 pm »
We have the same issue in our shop, ang googling any existing email on any customer and clicking on the google search links resulted that mention our shop get directly to the orders or print pdf invoices without asking to log in...  we find this as being a huge whole for confidenciality...

any fix for this ?

regards

quintangai

  • Beginner
  • *
  • Posts: 4
  • A beginner
Re: Order details and invoice are public and searcheable in Google
« Reply #8 on: March 03, 2017, 17:54:24 pm »
sorry I forgot to mention that we have last versions of joomla 3.6.5 and VM 3.0.18 running on a shared server with php 5.6
on how force any VM entering to be logged in will be much appreciated....
or if there is a patch for only the ones who worry about this ??

any comments will be much appreciated

jenkinhill

  • UK Web Developer & Consultant
  • Global Moderator
  • Super Hero
  • *
  • Posts: 26430
  • Always on vacation
    • Jenkin Hill Internet
Re: Order details and invoice are public and searcheable in Google
« Reply #9 on: March 03, 2017, 23:43:43 pm »
You must check your ACL settings.

Many websites that did not get updated to Joomla 3.6.4 and then to 3.6.5 within a suitably short time ( even a few minutes) of the release of the official patches were at risk of being hacked, as the method of hacking was also released on the net at the same time (or even slightly before) the official patch release time.  I have had to repair some sites that had been hacked, in two cases they were updated supposedly within one hour of the patch release but still got hacked. One of the hacks we have seen was to allter Joomla ACL settings, so please check this, just in case.
Kelvyn

Jenkin Hill Internet,
Lowestoft, Suffolk, UK

Unsolicited PMs/emails will be ignored.

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Currently using VM3.2.10 on Joomla 3.8.3 PHP 7.0.25

Testing VM3.2.10.9700 on J3.8.3

AH

  • Global Moderator
  • Sr. Member
  • *
  • Posts: 2640
  • VirtueMart Version: 3.2.8
Re: Order details and invoice are public and searcheable in Google
« Reply #10 on: March 04, 2017, 10:13:39 am »
Quote
We have the same issue in our shop, ang googling any existing email on any customer and clicking on the google search links resulted that mention our shop get directly to the orders or print pdf invoices without asking to log in...  we find this as being a huge whole for confidenciality...

any fix for this ?


NOTE

VirtueMart does NOT allow such a feature by default.  From a privacy perspective it would be ridiculous for it to do so!

Therefore there is something within your settings of Access Control managed by Joomla that is allowing access to administrator/manager or registered users functionality by non registered users. 

You can read more about it here

https://docs.joomla.org/J3.x:Access_Control_List_Tutorial

If you do not know what I am talking about - or have never set any ACL settings in Joomla then it is very likely that you were subject to a security exploit.

https://www.joomla.org/announcements/release-news/5693-joomla-3-6-5-released.html

There is no VM patch for any of this - it was/is not a VM issue.

Please review your current installation, assuming that there is something wrong with this - because VM does not allow access to user data by any user, regardless of the version.
regards
A

Joomla 3.8.3
php 5.6 + php 7

aftertaf

  • Jr. Member
  • **
  • Posts: 157
    • sO couture
  • VirtueMart Version: 3.2.8
Re: Order details and invoice are public and searcheable in Google
« Reply #11 on: March 04, 2017, 13:32:17 pm »
just out of curiosity and for clarifying...
If impacted by this, the problem would be that the different ACLs for items in the virtuemart entry on Global Configuration have incorrect settings (due to hack, exploit, etc...)?
@jenkinhill, you said "One of the hacks we have seen was to allter Joomla ACL settings, so please check this, just in case." - for virtuemart, or for each and every entry on the left panel of Global Configuration... ?
thanks
david
Webmaster for my wife (link in my profile ;)
Extensions / plugins : POSForWebshops, TemplatecreatorCK ,MaximenuCK, and PageBuilderCK, VM BatchEdit Pro, VM CustomFilters Pro, Awocoupon Pro, slogin, supersaas,  among other things...
Joomla! 3.8.3//VM 3.2.8//PHP7.0.18 & mariadb 10.1.22 on Debian
big up to notepad++!!!!

jenkinhill

  • UK Web Developer & Consultant
  • Global Moderator
  • Super Hero
  • *
  • Posts: 26430
  • Always on vacation
    • Jenkin Hill Internet
Re: Order details and invoice are public and searcheable in Google
« Reply #12 on: March 04, 2017, 16:16:33 pm »
Each and every ACL option was green on the website we saw, and there were 8 users listed with administrator access who had not been added by the site superuser. We have no idea exactly how this was done, but the database must effectively have been accessed/altered and the whole site compromised. The only option was to revert to an earlier backup, and update Joomla and extensions on localhost before publishing to the live server. This was not a VM site, so there was no possibility of orders being lost etc. It was only spotted by the owner because the edit symbol showed on FE articles and modules without being logged in.
Kelvyn

Jenkin Hill Internet,
Lowestoft, Suffolk, UK

Unsolicited PMs/emails will be ignored.

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Currently using VM3.2.10 on Joomla 3.8.3 PHP 7.0.25

Testing VM3.2.10.9700 on J3.8.3

Studio 42

  • Contributing Developer
  • Full Member
  • *
  • Posts: 2436
  • Joomla & Virtuemart addon developper
    • Studio 42 - Virtuemart & Joomla extentions
  • VirtueMart Version: 2.6 & 3.0.x.y
Re: Order details and invoice are public and searcheable in Google
« Reply #13 on: March 04, 2017, 22:13:31 pm »
Stop
There is nothing listed on google.

https://www.google.de/search?num=50&q=www.parapandaecorock.com%2Findex.php%3Foption%3Dcom_virtuemart%26view%3Dinvoice&oq=www.parapandaecorock.com%2Findex.php%3Foption%3Dcom_virtuemart%26view%3Dinvoice

Search result in cache:
http://webcache.googleusercontent.com/search?q=cache:4qoKqg1JsycJ:www.parapandaecorock.com/index.php%3Foption%3Dcom_virtuemart%26view%3Dinventory%26tmpl%3Dcomponent%26manage%3D1&num=1&hl=fr&gl=fr&strip=1&vwsrc=0

Each time someone reported me such problem you find some working links and this mean that someone hacked the site or you update from a old Vm release and the ACL was not set on update.

I think that orders that have a valid Joomla user should not be accessible from direct link, this prevent already some hacks if you don't use anonymous order.

All order page links should be set to rel="no follow"
and head meta
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
So you have not your orders displayed in google or other search bots that respect some rules.

WERK70

  • Beginner
  • *
  • Posts: 6
Re: Order details and invoice are public and searcheable in Google
« Reply #14 on: March 06, 2017, 09:02:04 am »
Good morning,

we checked the ACL and as predicted it was compromised. Lots of users that should not be there. Some of them and some customers were labled as administrators and superusers. Even the password for the dB has been changed.

As we don't run this site on our own nor do we update this site and the site owner doesn't want to pay a cleaning, we'll pass the problem back to the site owner.

thank you for the information.

Frank