Author Topic: Order details and invoice are public and searcheable in Google  (Read 2920 times)

Thomas Kampp

  • Jr. Member
  • **
  • Posts: 53
  • Joomla Developer
    • Toolmaster.dk
Re: Order details and invoice are public and searcheable in Google
« Reply #30 on: April 07, 2017, 15:28:23 pm »
Thanks :-)

A quick test reveals that there at least are some until 16. of February 2017. I have not looked further than this.
The problem about newer examples is that it takes time for Google to show new pages. So we can perhaps never show a truly fresh example.

What I am looking for right now is simply a way not to be able to download the PDF unless logged in. But can't find the relevant code in order to do this.
Danish Joomla Services: www.toolmaster.dk

Jörgen

  • Global Moderator
  • Full Member
  • *
  • Posts: 974
    • Kreativ Fotografi
  • VirtueMart Version: 3.0.19.9
Re: Order details and invoice are public and searcheable in Google
« Reply #31 on: April 07, 2017, 15:32:25 pm »
Hello

Check the Url for Reading the PDF. The virtuemart View is shown there.

regards

Jörgen @ Kreativ Fotografi
Joomla 3.6.5
Virtuemart 3.0.19.9
Olympiantheme Hera (customized)

Thomas Kampp

  • Jr. Member
  • **
  • Posts: 53
  • Joomla Developer
    • Toolmaster.dk
Re: Order details and invoice are public and searcheable in Google
« Reply #32 on: April 07, 2017, 17:09:40 pm »
Sadly no....

?option=com_virtuemart&view=invoice&layout=invoice&format=pdf&tmpl=component&virtuemart_order_id=**********

The view is invoice. So far so good, but there is no specific area for format pdf, resulting in the changes also destroys the normal invoice format.
Danish Joomla Services: www.toolmaster.dk

Jörgen

  • Global Moderator
  • Full Member
  • *
  • Posts: 974
    • Kreativ Fotografi
  • VirtueMart Version: 3.0.19.9
Re: Order details and invoice are public and searcheable in Google
« Reply #33 on: April 07, 2017, 21:28:43 pm »
Hello

You can check for pdf like this:
Code: [Select]
$invoiceformat = vRequest::getCmd('format','');
if ($invoiceformat == 'pdf') {
Your code here
}

If think You get what I mean :)

Jörgen @ Kreativ Fotografi
Joomla 3.6.5
Virtuemart 3.0.19.9
Olympiantheme Hera (customized)

Studio 42

  • Contributing Developer
  • Full Member
  • *
  • Posts: 2145
  • Joomla & Virtuemart addon developper
    • Studio 42 - Virtuemart & Joomla extentions
  • VirtueMart Version: 2.6 & 3.0.x.y
Re: Order details and invoice are public and searcheable in Google
« Reply #34 on: April 07, 2017, 23:40:16 pm »
You can check for referer using PHP $_SERVER['HTTP_REFERER'] to eliminate outside call and redirect to your index if this are from google search or other boot.


Jörgen

  • Global Moderator
  • Full Member
  • *
  • Posts: 974
    • Kreativ Fotografi
  • VirtueMart Version: 3.0.19.9
Re: Order details and invoice are public and searcheable in Google
« Reply #35 on: April 08, 2017, 10:36:05 am »
Hello Patrick

But as I understand this is a legitimate call, then the customer would not see the invoice either. How can we stop making this call get public? Only the customer should get this right. I thought this was fixed, right ? So we only have to take care of old invoice download requests, or am I wrong ?

regards

Jörgen @ Kreativ Fotografi
Joomla 3.6.5
Virtuemart 3.0.19.9
Olympiantheme Hera (customized)

Studio 42

  • Contributing Developer
  • Full Member
  • *
  • Posts: 2145
  • Joomla & Virtuemart addon developper
    • Studio 42 - Virtuemart & Joomla extentions
  • VirtueMart Version: 2.6 & 3.0.x.y
Re: Order details and invoice are public and searcheable in Google
« Reply #36 on: April 11, 2017, 02:46:00 am »
Jorgen, i think it's possible to filter comming from Google using HTTP_REFERER, so user comming from email have note same HTTP_REFERER.
I only gave this sugestion, of course if you don't filter corretly you stop user acces.
Anotehr possible filter, is to check if the order have a Joomla user account associate and force user login.
I think using the 2 system should stop most possible access and google.
You can use another system using an existing value as customer name for eg, so external cannot access to order if they don't know the customer name.
This can be done using a system plugin for eg.

Jörgen

  • Global Moderator
  • Full Member
  • *
  • Posts: 974
    • Kreativ Fotografi
  • VirtueMart Version: 3.0.19.9
Re: Order details and invoice are public and searcheable in Google
« Reply #37 on: April 11, 2017, 07:01:15 am »
Thank You Patrick

But right now it would be interesting to know why this is indexed by Google. I got the impression that Max had blocked that possibility. Is this something that only happens when You have Google analytics installed ?

best regards

Jörgen @ Kreativ Fotografi
Joomla 3.6.5
Virtuemart 3.0.19.9
Olympiantheme Hera (customized)

javerleo

  • Beginner
  • *
  • Posts: 9
Re: Order details and invoice are public and searcheable in Google
« Reply #38 on: July 23, 2017, 17:52:32 pm »
Hello.

I have complains from a customer related to this issue. Privacy is compromised because PDF orders and delivery notes can be downloaded by anyone who finds the link on a Google search.

Please give us some guide to modify the code in order to force login when attempting to open the download link.

Thanks in advance for your help.

Regards.

jenkinhill

  • UK Web Developer & Consultant
  • Global Moderator
  • Super Hero
  • *
  • Posts: 26091
  • Always on vacation
    • Jenkin Hill Internet
Re: Order details and invoice are public and searcheable in Google
« Reply #39 on: July 23, 2017, 23:03:58 pm »
If you have site security set up properly they cannot be indexed and certainly cannot be dowmloaded without first logging in as the shopper.
Kelvyn

Jenkin Hill Internet,
Keswick, Lake District

Unsolicited PMs/emails will be ignored.

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Currently using VM3.2.3.9614 on Joomla 3.7.4 PHP 7.0.22

Testing VM3.2.3.9614 on J!3.7.4

AH

  • Global Moderator
  • Sr. Member
  • *
  • Posts: 2568
  • VirtueMart Version: 3.2.4
Re: Order details and invoice are public and searcheable in Google
« Reply #40 on: July 24, 2017, 10:32:07 am »
Quote
If you have site security set up properly they cannot be indexed

It might be useful for others for you to expand on this comment.

With the advent of GDPR in May 2018  - this may be considered a notifiable breach of data
regards
A

Joomla 3.7.4
php 5.6 + php 7

javerleo

  • Beginner
  • *
  • Posts: 9
Re: Order details and invoice are public and searcheable in Google
« Reply #41 on: July 24, 2017, 15:41:57 pm »
Thanks for your answers.

Can you clarify how that security level could be achieved to avoid direct download and Google indexing. At least general guidance would be useful.

Regards.

jenkinhill

  • UK Web Developer & Consultant
  • Global Moderator
  • Super Hero
  • *
  • Posts: 26091
  • Always on vacation
    • Jenkin Hill Internet
Re: Order details and invoice are public and searcheable in Google
« Reply #42 on: July 24, 2017, 18:28:49 pm »
I have complains from a customer related to this issue. Privacy is compromised because PDF orders and delivery notes can be downloaded by anyone who finds the link on a Google search.

This is not possible with current VirtueMart versions unless the site ACL is incorrectly configured, or the site has been hacked and ACL compromised. There may be some historic links like that on Google - but I have yet to find any.

My security rules:
1. The use of a dedicated server or cloud VPS is very important. This gives you control which you cannot have with a shared server, so you never have to make do with old possibly insecure PHP versions etc..

2. Always keep software updated, and act instantly if there is a report of potential security issues with any element of a site. For security critical updates Joomla now issues a warning with the exact time and date when a patch will be released. At the same time as the patch is released the security body who found the potential issue are permitted to release that potential hack information into the wild. To me this is stupid, but much better that the securoity hole is first published before Joomla can start wotk on a fix. The security people get on-line kudos so may try harder to identify possible security isses in the future. I start updating my Joomla sites as soon as I can after a new version/patch is released, usually within a couple of minutes. "I'll do it tomorrow" is often no good - and too late.

3. For VirtueMart make sure to create the vmfiles/safe path directory below normal server root. With dedicated/vps you can do that, but most shared hosts do not permit this.

4. Make use of .htaccess as additional control of access to directories.

5. Use robots.txt to limit googlebot to indexing only those areas you want it too. Use url bocking as well. Good tips on https://support.google.com/webmasters/answer/6062608?hl=en

6. If possible always run VM websites under SSL - good for SEO as well as customer security.

There are various firewall protocols that may be used in addition, listed on the JED, but I have never felt the need for these. I do make use of plugins to attempt to prevent sql injections or brute force admin password attacks - never use the default "admin" user as the site superadmin is so simple to do. I use these extensions, other will have their own preferences:
https://github.com/codeling/bfstop
http://www.mmleoni.net/sql-iniection-lfi-protection-plugin-for-joomla
Kelvyn

Jenkin Hill Internet,
Keswick, Lake District

Unsolicited PMs/emails will be ignored.

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Currently using VM3.2.3.9614 on Joomla 3.7.4 PHP 7.0.22

Testing VM3.2.3.9614 on J!3.7.4

javerleo

  • Beginner
  • *
  • Posts: 9
Re: Order details and invoice are public and searcheable in Google
« Reply #43 on: July 25, 2017, 16:07:04 pm »
Thanks jenkinhill for your comprehensive answer.

Generally speaking, I'm aware of these general security measures. However, what I need to know is how to solve the ACL issues, since I'm still facing the problem of public direct PDF order download.

Regards.

javerleo

  • Beginner
  • *
  • Posts: 9
Re: Order details and invoice are public and searcheable in Google
« Reply #44 on: July 26, 2017, 02:38:17 am »
Hello.

Let me explain my issue with more detail:

Joomla 3.7.4
Virtuemart 3.2.1

There are a lot of Google results that allow ANY internet user to download Virtuemart orders in PDF format. The links look like this:

mystore.com/index.php?option=com_virtuemart&view=invoice&layout=deliverynote&format=pdf&tmpl=component&virtuemart_order_id=715&order_number=XYZ34343&order_pass=p_3r534&d=2

WHAT I HAVE DONE:

Created a redirect rule via PHP code at the beginning of the main index.php (bad idea since it will be removed with updates. Where should I put the code?). Now all the Google links redirect to the site homepage (checking HTTP referral).

Now the big question:

How did Google indexed those orders in the first place?

I checked Virtuemart ACL permissions: Everything is red, except for superadmins

Virtuemart safe path is a folder outside public_html (this is a Cpanel account)

No signs of hacking

I don't know what else to check.

So the question is :

How to avoid Google to index future PDF orders ?????

Thanks in advance for your suggestions.