News:

Looking for documentation? Take a look on our wiki

Main Menu

Security/robustness suggestion for VM

Started by innato, June 25, 2018, 18:04:34 PM

Previous topic - Next topic

innato

Hi I am using VM3.2.6 with Joomla 3.8.8 and PHP 7
I have also tested the latest VM version 3.2.14, virgin install.

I run a webshop with VM on Joomla! 3.8 and just for curiosity, I recently decided to log all accesses to the website/webshop during a few days, including all GET and POST requests. What I found was interesting. Amongst other things, there were direct accesses to the URL https://www.mydomain.tld/index.php?option=com_virtuemart&view=user&layout=edit&Itemid=284
As part of this access, there were POST data, coming from the VM registration form that had been filled in, without a prior purchase, with the cart empty and not even looked at a product.
In a next call, the above visitor tried to log in (I noticed because he/she POSTed the same credentials in a log-in form).
I tried the procedure myself and managed to register an account in this way, and I could log into the website.

My point: why is any anonymous visitor able to open a VM page with 'layout=edit' in the URL? There is nothing to edit if he hasn't got an account.
Later I found out that the URL http://www.mydomain.tld/index.php?option=com_virtuemart&view=user is already enough to get to the same page.
It may not be a security flaw, but I feel uncomfortable with the idea that webbots can so easily register fake accounts through VM.

So I modified the file /com_virtuemart/views/user/tmpl/edit.php by commenting out two lines:

- line 36 was changed into: // echo '<h2>'.vmText::_('COM_VIRTUEMART_YOUR_ACCOUNT_REG').'</h2>';

- line 77, after '} else {' was changed into: //    echo $this->loadTemplate ( 'shopper' );

These two changes remove the label 'Registration' and the registration form from said page. The log-in part is still there, so the visitor can still log in.

Registered users can still log-in through Joomla! or by using the VM log-in after they put something in their cart. The registration form shown on VM checkout is a different one and remains to be displayed.
Important detai: I have hidden the Joomla! log-in module. In fact I would rather totally disable the Joomla! new user registration, but it is needed for VM to allow customer registrations.

Since this change, I got rid of all the fake registrations in my log...
Maybe it is worthwhile for you to look into this and make VM more robust.

Regards
Rob

VM3.2.6 (enhanced) on J3.8.8 and PHP 7.1 or 7.2

jjk

#1
What I think about that:
You can unpublish the Joomla Login form module. A shopper doesn't need it. If somebody buys a product, he/she is registered automatically. The VM login in the cart view is sufficient (for existing customers) and that one does not display a 'registration' link which might be used by spambots.

For your customers it is a good practice to offer what I call a 'Customer Menu'. It holds links to 'View Cart', 'View Your Order History' and 'Your Customer Account'.

Sometimes I have 'real' customers who do use the 'Your Customer Account' menu link to register a few days before they actually buy something and of course some of those change their mind afterwards and don't buy something later.

The Joomla extension 'Spambotcheck from vi-solutions' does a pretty good job to keep off spam registrations.
Non-English Shops: Are your language files up to date?
http://virtuemart.net/community/translations

AH

#2
Blocking spam registrations where possible is a general requirement,

The captcha element of this page is intended to do just that.

However if you do not use captcha then direct access to this item may result in unwanted registrations.

If you wanted to offer menu items to facilitate registered user access to maintain their details - then you could add a simple check before displaying the shopperform to only display to logged VM in users.
Regards
A

Joomla 3.10.11
php 8.0