Order details and invoice are public and searcheable in Google

Started by acuabit, January 10, 2017, 13:39:47 PM

Previous topic - Next topic

Thomas Kampp

#30
Thanks :-)

A quick test reveals that there at least are some until 16. of February 2017. I have not looked further than this.
The problem about newer examples is that it takes time for Google to show new pages. So we can perhaps never show a truly fresh example.

What I am looking for right now is simply a way not to be able to download the PDF unless logged in. But can't find the relevant code in order to do this.
Danish Joomla Services: www.toolmaster.dk
Danish Joomla Services: www.joomla-konsulent.dk
Danish Joomla Hosting: www.joomla-hosting.dk
Danish Smart Home: www.smart-home-konsulent.dk
Danish Subject Blog: www.sutra.dk

Jörgen

Hello

Check the Url for Reading the PDF. The virtuemart View is shown there.

regards

Jörgen @ Kreativ Fotografi
Joomla 3.9.18
Virtuemart 3.4.x
Olympiantheme Hera (customized)
This reflects current status when viewing old post.

Thomas Kampp

Sadly no....

?option=com_virtuemart&view=invoice&layout=invoice&format=pdf&tmpl=component&virtuemart_order_id=**********

The view is invoice. So far so good, but there is no specific area for format pdf, resulting in the changes also destroys the normal invoice format.
Danish Joomla Services: www.toolmaster.dk
Danish Joomla Services: www.joomla-konsulent.dk
Danish Joomla Hosting: www.joomla-hosting.dk
Danish Smart Home: www.smart-home-konsulent.dk
Danish Subject Blog: www.sutra.dk

Jörgen

Hello

You can check for pdf like this:
$invoiceformat = vRequest::getCmd('format','');
if ($invoiceformat == 'pdf') {
Your code here
}


If think You get what I mean :)

Jörgen @ Kreativ Fotografi
Joomla 3.9.18
Virtuemart 3.4.x
Olympiantheme Hera (customized)
This reflects current status when viewing old post.

Studio 42

You can check for referer using PHP $_SERVER['HTTP_REFERER'] to eliminate outside call and redirect to your index if this are from google search or other boot.


Jörgen

Hello Patrick

But as I understand this is a legitimate call, then the customer would not see the invoice either. How can we stop making this call get public? Only the customer should get this right. I thought this was fixed, right ? So we only have to take care of old invoice download requests, or am I wrong ?

regards

Jörgen @ Kreativ Fotografi
Joomla 3.9.18
Virtuemart 3.4.x
Olympiantheme Hera (customized)
This reflects current status when viewing old post.

Studio 42

Jorgen, i think it's possible to filter comming from Google using HTTP_REFERER, so user comming from email have note same HTTP_REFERER.
I only gave this sugestion, of course if you don't filter corretly you stop user acces.
Anotehr possible filter, is to check if the order have a Joomla user account associate and force user login.
I think using the 2 system should stop most possible access and google.
You can use another system using an existing value as customer name for eg, so external cannot access to order if they don't know the customer name.
This can be done using a system plugin for eg.

Jörgen

Thank You Patrick

But right now it would be interesting to know why this is indexed by Google. I got the impression that Max had blocked that possibility. Is this something that only happens when You have Google analytics installed ?

best regards

Jörgen @ Kreativ Fotografi
Joomla 3.9.18
Virtuemart 3.4.x
Olympiantheme Hera (customized)
This reflects current status when viewing old post.

javerleo

Hello.

I have complains from a customer related to this issue. Privacy is compromised because PDF orders and delivery notes can be downloaded by anyone who finds the link on a Google search.

Please give us some guide to modify the code in order to force login when attempting to open the download link.

Thanks in advance for your help.

Regards.

jenkinhill

If you have site security set up properly they cannot be indexed and certainly cannot be dowmloaded without first logging in as the shopper.
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

AH

QuoteIf you have site security set up properly they cannot be indexed

It might be useful for others for you to expand on this comment.

With the advent of GDPR in May 2018  - this may be considered a notifiable breach of data
Regards
A

Joomla 3.10.11
php 8.0

javerleo

Thanks for your answers.

Can you clarify how that security level could be achieved to avoid direct download and Google indexing. At least general guidance would be useful.

Regards.

jenkinhill

Quote from: javerleo on July 23, 2017, 17:52:32 PM
I have complains from a customer related to this issue. Privacy is compromised because PDF orders and delivery notes can be downloaded by anyone who finds the link on a Google search.

This is not possible with current VirtueMart versions unless the site ACL is incorrectly configured, or the site has been hacked and ACL compromised. There may be some historic links like that on Google - but I have yet to find any.

My security rules:
1. The use of a dedicated server or cloud VPS is very important. This gives you control which you cannot have with a shared server, so you never have to make do with old possibly insecure PHP versions etc..

2. Always keep software updated, and act instantly if there is a report of potential security issues with any element of a site. For security critical updates Joomla now issues a warning with the exact time and date when a patch will be released. At the same time as the patch is released the security body who found the potential issue are permitted to release that potential hack information into the wild. To me this is stupid, but much better that the securoity hole is first published before Joomla can start wotk on a fix. The security people get on-line kudos so may try harder to identify possible security isses in the future. I start updating my Joomla sites as soon as I can after a new version/patch is released, usually within a couple of minutes. "I'll do it tomorrow" is often no good - and too late.

3. For VirtueMart make sure to create the vmfiles/safe path directory below normal server root. With dedicated/vps you can do that, but most shared hosts do not permit this.

4. Make use of .htaccess as additional control of access to directories.

5. Use robots.txt to limit googlebot to indexing only those areas you want it too. Use url bocking as well. Good tips on https://support.google.com/webmasters/answer/6062608?hl=en

6. If possible always run VM websites under SSL - good for SEO as well as customer security.

There are various firewall protocols that may be used in addition, listed on the JED, but I have never felt the need for these. I do make use of plugins to attempt to prevent sql injections or brute force admin password attacks - never use the default "admin" user as the site superadmin is so simple to do. I use these extensions, other will have their own preferences:
https://github.com/codeling/bfstop
http://www.mmleoni.net/sql-iniection-lfi-protection-plugin-for-joomla
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

javerleo

Thanks jenkinhill for your comprehensive answer.

Generally speaking, I'm aware of these general security measures. However, what I need to know is how to solve the ACL issues, since I'm still facing the problem of public direct PDF order download.

Regards.

javerleo

Hello.

Let me explain my issue with more detail:

Joomla 3.7.4
Virtuemart 3.2.1

There are a lot of Google results that allow ANY internet user to download Virtuemart orders in PDF format. The links look like this:

mystore.com/index.php?option=com_virtuemart&view=invoice&layout=deliverynote&format=pdf&tmpl=component&virtuemart_order_id=715&order_number=XYZ34343&order_pass=p_3r534&d=2

WHAT I HAVE DONE:

Created a redirect rule via PHP code at the beginning of the main index.php (bad idea since it will be removed with updates. Where should I put the code?). Now all the Google links redirect to the site homepage (checking HTTP referral).

Now the big question:

How did Google indexed those orders in the first place?

I checked Virtuemart ACL permissions: Everything is red, except for superadmins

Virtuemart safe path is a folder outside public_html (this is a Cpanel account)

No signs of hacking

I don't know what else to check.

So the question is :

How to avoid Google to index future PDF orders ?????

Thanks in advance for your suggestions.