Author Topic: Order details and invoice are public and searcheable in Google  (Read 856 times)

AH

  • Global Moderator
  • Sr. Member
  • *
  • Posts: 2512
  • VirtueMart Version: 3.0.19.8
Re: Order details and invoice are public and searcheable in Google
« Reply #15 on: March 06, 2017, 11:56:05 am »
Thank you for the update -

If that is their approach - IMHO The site owners should not be allowed to handle personal data
regards
A

Joomla 3.6.5
php 7

finngu

  • Beginner
  • *
  • Posts: 16
Re: Order details and invoice are public and searcheable in Google
« Reply #16 on: March 08, 2017, 20:09:11 pm »
This is really weird!
I don't get it........ all my ALC settings "looks red" -- that if is I am looking at the rigt place

My problem - and I need it solved is, that on Google you can find this link. And it shows a complete list of all orders in Virtuemart - BACKEND!
No login needed - one just get the list of orders..... straight from the browser

[Mod edited:  Link deleted - no point in inviting hackers in!  Yes the site is wide open with a full front end view or orders, inventory, configuration as well as other areas. ]

How on earth do I fix this? This is wide open?!!?

The virtuemart IS updated to latest version 3.0.18 and Joomla is lastest version 3.6.5

I need help

Thanks
Finn

finngu

  • Beginner
  • *
  • Posts: 16
Re: Order details and invoice are public and searcheable in Google
« Reply #17 on: March 08, 2017, 20:33:55 pm »
Thanks for removing the link. Stupid me

But how do I fix it that access to the orders backend are wide open?
I have no idea how this was set, so the site is wide open

Do I need to reinstall Joomla and Virtuemart completely?
Could the cause to the problem also be in the database? If I need to reinstall, then we have a lot of data in Virtuemart that we would really not like to loose...


Studio 42

  • Contributing Developer
  • Full Member
  • *
  • Posts: 2068
  • Joomla & Virtuemart addon developper
    • Studio 42 - Virtuemart & Joomla extentions
  • VirtueMart Version: 2.6 & 3.0.x.y
Re: Order details and invoice are public and searcheable in Google
« Reply #18 on: March 08, 2017, 23:04:29 pm »
Tyr to get files from http://dev.virtuemart.net/projects/virtuemart/files and get 3.0.18.6, 3.0.18.8 or last beta.
Check your Joomla config permission for Virtuemart and check and remove any super user (and admin) that you don't know.

AH

  • Global Moderator
  • Sr. Member
  • *
  • Posts: 2512
  • VirtueMart Version: 3.0.19.8
Re: Order details and invoice are public and searcheable in Google
« Reply #19 on: March 09, 2017, 08:32:23 am »
If you have been compromised - it may be that there is more to it than just the ACL settings

SO consider carefully how you recover from this state.  Just changing ACL may not be enough.
regards
A

Joomla 3.6.5
php 7

finngu

  • Beginner
  • *
  • Posts: 16
Re: Order details and invoice are public and searcheable in Google
« Reply #20 on: March 09, 2017, 10:51:25 am »
So what else than ACL - and where?

Do I have to reinstall everything and start over?


Thanks

WERK70

  • Beginner
  • *
  • Posts: 5
Re: Order details and invoice are public and searcheable in Google
« Reply #21 on: March 09, 2017, 11:07:06 am »
If that is their approach - IMHO The site owners should not be allowed to handle personal data

I agree but I can't force them.

We found an old akeeba backup on their webspace which was not compromied and re-installed it. Then we told them, if they are not willing to backup und update their system (we offer this for moderate fee) then they should never come back and ask for help.

AH

  • Global Moderator
  • Sr. Member
  • *
  • Posts: 2512
  • VirtueMart Version: 3.0.19.8
Re: Order details and invoice are public and searcheable in Google
« Reply #22 on: March 09, 2017, 12:02:05 pm »
Quote
So what else than ACL - and where?

Do I have to reinstall everything and start over?

Why not Clear out all the server directories and dbase tables and restore from a backup of files and database?
regards
A

Joomla 3.6.5
php 7