Order details and invoice are public and searcheable in Google

Started by acuabit, January 10, 2017, 13:39:47 PM

Previous topic - Next topic

AH

Thank you for the update -

If that is their approach - IMHO The site owners should not be allowed to handle personal data
Regards
A

Joomla 3.10.11
php 8.0

finngu

This is really weird!
I don't get it........ all my ALC settings "looks red" -- that if is I am looking at the rigt place

My problem - and I need it solved is, that on Google you can find this link. And it shows a complete list of all orders in Virtuemart - BACKEND!
No login needed - one just get the list of orders..... straight from the browser

[Mod edited:  Link deleted - no point in inviting hackers in!  Yes the site is wide open with a full front end view or orders, inventory, configuration as well as other areas. ]

How on earth do I fix this? This is wide open?!!?

The virtuemart IS updated to latest version 3.0.18 and Joomla is lastest version 3.6.5

I need help

Thanks
Finn

finngu

Thanks for removing the link. Stupid me

But how do I fix it that access to the orders backend are wide open?
I have no idea how this was set, so the site is wide open

Do I need to reinstall Joomla and Virtuemart completely?
Could the cause to the problem also be in the database? If I need to reinstall, then we have a lot of data in Virtuemart that we would really not like to loose...


Studio 42

Tyr to get files from http://dev.virtuemart.net/projects/virtuemart/files and get 3.0.18.6, 3.0.18.8 or last beta.
Check your Joomla config permission for Virtuemart and check and remove any super user (and admin) that you don't know.

AH

If you have been compromised - it may be that there is more to it than just the ACL settings

SO consider carefully how you recover from this state.  Just changing ACL may not be enough.
Regards
A

Joomla 3.10.11
php 8.0

finngu

So what else than ACL - and where?

Do I have to reinstall everything and start over?


Thanks

WERK70

Quote from: AH on March 06, 2017, 11:56:05 AM
If that is their approach - IMHO The site owners should not be allowed to handle personal data

I agree but I can't force them.

We found an old akeeba backup on their webspace which was not compromied and re-installed it. Then we told them, if they are not willing to backup und update their system (we offer this for moderate fee) then they should never come back and ask for help.

AH

QuoteSo what else than ACL - and where?

Do I have to reinstall everything and start over?

Why not Clear out all the server directories and dbase tables and restore from a backup of files and database?
Regards
A

Joomla 3.10.11
php 8.0

Thomas Kampp

THIS ISSUE IS NOT FIXED!

It is NOT a permission issue! It is a bug in Virtuemart  ;)

PHP: 7.1.3
Joomla: 3.6.5 (newest)
Virtuemart: 3.2.1 (newest)

I am still able to find customer invoice PDF's by searching there email in Google. I have a test example if needed.

Please view these two images as well.
Danish Joomla Services: www.toolmaster.dk
Danish Joomla Services: www.joomla-konsulent.dk
Danish Joomla Hosting: www.joomla-hosting.dk
Danish Smart Home: www.smart-home-konsulent.dk
Danish Subject Blog: www.sutra.dk

aftertaf

probably hacked before update.
when does this date from ?

aftertaf

checked on mine (specs in sig) and no finding in google.-> not an 'always' bug if bug it is...
Virtuemart ACL : add RED everywhere except for superusers.
try to find from when date the hits in your google search... ?

Thomas Kampp

I can confirm that the Virtuemart ACL is correct and that all are RED everywhere except for superusers.

The hacked part is very unlikely due to is having recently been reinstalled and setup. Also the site has a very high security level, extensions, regular checks/scans and such.

This leaves the part of your suggestions regarding dates, BUT in my mind this is not possible. There is NO SITUATION where public should be able to view PDF's without a login. This even goes for URL's with encrypted or hash values and such. So in my mind it is a bug that it is even possible regardless of this or ACL.
Danish Joomla Services: www.toolmaster.dk
Danish Joomla Services: www.joomla-konsulent.dk
Danish Joomla Hosting: www.joomla-hosting.dk
Danish Smart Home: www.smart-home-konsulent.dk
Danish Subject Blog: www.sutra.dk

Jörgen

Hello

I have checked Your invoice and I can see that the order is created 2016-09-12 and that the invoice was created 2017-02-15. When did You update VM ?

Does this also happen when You google newly created orders and invoices ?

regards

Jörgen @ Kreativ Fotografi
Joomla 3.9.18
Virtuemart 3.4.x
Olympiantheme Hera (customized)
This reflects current status when viewing old post.

Thomas Kampp

It is regularly updated. Just before Christmas, February and last time was yesterday.

It does not matter when it was updated in my mind. There is NO scenario where:
1. Invoices should be allowed to be indexed by Google. Ever.
2. These should not be allowed to be viewed by other than the owner (after login). Ever.

Both would be breaking the person data law. Both would mean Virtuemart is not legal in the entire Europe.

So clearly there is a bug with both problems...
Danish Joomla Services: www.toolmaster.dk
Danish Joomla Services: www.joomla-konsulent.dk
Danish Joomla Hosting: www.joomla-hosting.dk
Danish Smart Home: www.smart-home-konsulent.dk
Danish Subject Blog: www.sutra.dk

Jörgen

Hello

I have not written the software, I am only trying to help. And Yes It does matter if when it was updated. You are giving an 7 month old order as an example. If it has been indexed 7 month ago a new version will not stop this, because it seems like the password for the invoice is included in the indexed URL.

I asked if You can Do the same with new orders ? If the problem has been rectified, then there is only an issue for old invoices, not new ones.

Maybe someone else can give You more help

Jörgen @ Kreativ Fotografi
Joomla 3.9.18
Virtuemart 3.4.x
Olympiantheme Hera (customized)
This reflects current status when viewing old post.