Author Topic: Order details and invoice are public and searcheable in Google  (Read 2437 times)

AH

  • Global Moderator
  • Sr. Member
  • *
  • Posts: 2557
  • VirtueMart Version: 3.2.3
Re: Order details and invoice are public and searcheable in Google
« Reply #15 on: March 06, 2017, 11:56:05 am »
Thank you for the update -

If that is their approach - IMHO The site owners should not be allowed to handle personal data
regards
A

Joomla 3.7.2
php 5.6 + php 7

finngu

  • Beginner
  • *
  • Posts: 17
Re: Order details and invoice are public and searcheable in Google
« Reply #16 on: March 08, 2017, 20:09:11 pm »
This is really weird!
I don't get it........ all my ALC settings "looks red" -- that if is I am looking at the rigt place

My problem - and I need it solved is, that on Google you can find this link. And it shows a complete list of all orders in Virtuemart - BACKEND!
No login needed - one just get the list of orders..... straight from the browser

[Mod edited:  Link deleted - no point in inviting hackers in!  Yes the site is wide open with a full front end view or orders, inventory, configuration as well as other areas. ]

How on earth do I fix this? This is wide open?!!?

The virtuemart IS updated to latest version 3.0.18 and Joomla is lastest version 3.6.5

I need help

Thanks
Finn

finngu

  • Beginner
  • *
  • Posts: 17
Re: Order details and invoice are public and searcheable in Google
« Reply #17 on: March 08, 2017, 20:33:55 pm »
Thanks for removing the link. Stupid me

But how do I fix it that access to the orders backend are wide open?
I have no idea how this was set, so the site is wide open

Do I need to reinstall Joomla and Virtuemart completely?
Could the cause to the problem also be in the database? If I need to reinstall, then we have a lot of data in Virtuemart that we would really not like to loose...


Studio 42

  • Contributing Developer
  • Full Member
  • *
  • Posts: 2121
  • Joomla & Virtuemart addon developper
    • Studio 42 - Virtuemart & Joomla extentions
  • VirtueMart Version: 2.6 & 3.0.x.y
Re: Order details and invoice are public and searcheable in Google
« Reply #18 on: March 08, 2017, 23:04:29 pm »
Tyr to get files from http://dev.virtuemart.net/projects/virtuemart/files and get 3.0.18.6, 3.0.18.8 or last beta.
Check your Joomla config permission for Virtuemart and check and remove any super user (and admin) that you don't know.

AH

  • Global Moderator
  • Sr. Member
  • *
  • Posts: 2557
  • VirtueMart Version: 3.2.3
Re: Order details and invoice are public and searcheable in Google
« Reply #19 on: March 09, 2017, 08:32:23 am »
If you have been compromised - it may be that there is more to it than just the ACL settings

SO consider carefully how you recover from this state.  Just changing ACL may not be enough.
regards
A

Joomla 3.7.2
php 5.6 + php 7

finngu

  • Beginner
  • *
  • Posts: 17
Re: Order details and invoice are public and searcheable in Google
« Reply #20 on: March 09, 2017, 10:51:25 am »
So what else than ACL - and where?

Do I have to reinstall everything and start over?


Thanks

WERK70

  • Beginner
  • *
  • Posts: 6
Re: Order details and invoice are public and searcheable in Google
« Reply #21 on: March 09, 2017, 11:07:06 am »
If that is their approach - IMHO The site owners should not be allowed to handle personal data

I agree but I can't force them.

We found an old akeeba backup on their webspace which was not compromied and re-installed it. Then we told them, if they are not willing to backup und update their system (we offer this for moderate fee) then they should never come back and ask for help.

AH

  • Global Moderator
  • Sr. Member
  • *
  • Posts: 2557
  • VirtueMart Version: 3.2.3
Re: Order details and invoice are public and searcheable in Google
« Reply #22 on: March 09, 2017, 12:02:05 pm »
Quote
So what else than ACL - and where?

Do I have to reinstall everything and start over?

Why not Clear out all the server directories and dbase tables and restore from a backup of files and database?
regards
A

Joomla 3.7.2
php 5.6 + php 7

Thomas Kampp

  • Jr. Member
  • **
  • Posts: 53
  • Joomla Developer
    • Toolmaster.dk
Re: Order details and invoice are public and searcheable in Google
« Reply #23 on: April 06, 2017, 17:42:33 pm »
THIS ISSUE IS NOT FIXED!

It is NOT a permission issue! It is a bug in Virtuemart  ;)

PHP: 7.1.3
Joomla: 3.6.5 (newest)
Virtuemart: 3.2.1 (newest)

I am still able to find customer invoice PDF's by searching there email in Google. I have a test example if needed.

Please view these two images as well.
Danish Joomla Services: www.toolmaster.dk

aftertaf

  • Jr. Member
  • **
  • Posts: 99
    • sO couture
  • VirtueMart Version: 3.2.2
Re: Order details and invoice are public and searcheable in Google
« Reply #24 on: April 06, 2017, 20:40:01 pm »
probably hacked before update.
when does this date from ?
Webmaster for my wife
Long live joomla, virtuemart and open source in general.
usually latest version of VM & J!
Using POSForWebshops, TemplatecreatorCK, MaximenuCK, VM BatchEdit Pro among other things...
VM 3.2.2, PHP Version 7.0.18-1~dotdeb+8.1, mariadb 10.1.22 Joomla! 3.7.2

aftertaf

  • Jr. Member
  • **
  • Posts: 99
    • sO couture
  • VirtueMart Version: 3.2.2
Re: Order details and invoice are public and searcheable in Google
« Reply #25 on: April 06, 2017, 20:55:46 pm »
checked on mine (specs in sig) and no finding in google.-> not an 'always' bug if bug it is...
Virtuemart ACL : add RED everywhere except for superusers.
try to find from when date the hits in your google search... ?
Webmaster for my wife
Long live joomla, virtuemart and open source in general.
usually latest version of VM & J!
Using POSForWebshops, TemplatecreatorCK, MaximenuCK, VM BatchEdit Pro among other things...
VM 3.2.2, PHP Version 7.0.18-1~dotdeb+8.1, mariadb 10.1.22 Joomla! 3.7.2

Thomas Kampp

  • Jr. Member
  • **
  • Posts: 53
  • Joomla Developer
    • Toolmaster.dk
Re: Order details and invoice are public and searcheable in Google
« Reply #26 on: April 06, 2017, 21:16:29 pm »
I can confirm that the Virtuemart ACL is correct and that all are RED everywhere except for superusers.

The hacked part is very unlikely due to is having recently been reinstalled and setup. Also the site has a very high security level, extensions, regular checks/scans and such.

This leaves the part of your suggestions regarding dates, BUT in my mind this is not possible. There is NO SITUATION where public should be able to view PDF's without a login. This even goes for URL's with encrypted or hash values and such. So in my mind it is a bug that it is even possible regardless of this or ACL.
Danish Joomla Services: www.toolmaster.dk

Jörgen

  • Global Moderator
  • Full Member
  • *
  • Posts: 968
    • Kreativ Fotografi
  • VirtueMart Version: 3.0.19.9
Re: Order details and invoice are public and searcheable in Google
« Reply #27 on: April 07, 2017, 07:45:31 am »
Hello

I have checked Your invoice and I can see that the order is created 2016-09-12 and that the invoice was created 2017-02-15. When did You update VM ?

Does this also happen when You google newly created orders and invoices ?

regards

Jörgen @ Kreativ Fotografi
Joomla 3.6.5
Virtuemart 3.0.19.9
Olympiantheme Hera (customized)

Thomas Kampp

  • Jr. Member
  • **
  • Posts: 53
  • Joomla Developer
    • Toolmaster.dk
Re: Order details and invoice are public and searcheable in Google
« Reply #28 on: April 07, 2017, 10:04:07 am »
It is regularly updated. Just before Christmas, February and last time was yesterday.

It does not matter when it was updated in my mind. There is NO scenario where:
1. Invoices should be allowed to be indexed by Google. Ever.
2. These should not be allowed to be viewed by other than the owner (after login). Ever.

Both would be breaking the person data law. Both would mean Virtuemart is not legal in the entire Europe.

So clearly there is a bug with both problems...
Danish Joomla Services: www.toolmaster.dk

Jörgen

  • Global Moderator
  • Full Member
  • *
  • Posts: 968
    • Kreativ Fotografi
  • VirtueMart Version: 3.0.19.9
Re: Order details and invoice are public and searcheable in Google
« Reply #29 on: April 07, 2017, 15:20:00 pm »
Hello

I have not written the software, I am only trying to help. And Yes It does matter if when it was updated. You are giving an 7 month old order as an example. If it has been indexed 7 month ago a new version will not stop this, because it seems like the password for the invoice is included in the indexed URL.

I asked if You can Do the same with new orders ? If the problem has been rectified, then there is only an issue for old invoices, not new ones.

Maybe someone else can give You more help

Jörgen @ Kreativ Fotografi
Joomla 3.6.5
Virtuemart 3.0.19.9
Olympiantheme Hera (customized)