Hi, sorry for my English.
I have a problem viewing the details of the order (a link from an email client). We have for example something like this:
domain.pl/index.php?option=com_virtuemart&view=orders&layout=details&order_number=013408&order_pass=xxxxx
These are the details of the customer, available for virtually any user or bot.
If someone has installed the tracking code such as Google, or some other code that might be a problem.
I would have at least put there tag noindex, nofollow, noarchive, or somehow better protect the personal data.
if think about "$document->setMetaData('robots', 'noindex, follow, noachive');" but this don't work.
You think that google could try to hacke the orders?
People have a variety of browsers, plug-ins and toolbars.
GWT (Google webmasters tools) or GA (google analitics) also collects information if you perform tracking code. Just like other similar applications.
I would prefer that these sites were not included in the google index or something.
I think the robots.txt file works on different principles.
You can exclude the entire floder or a single file.
Orders is a lot and does not make sense for everyone to create an entry in the robots.txt file
robots.txt file is taken into account by the respected search engine such as Google.
Noindex and nofollow attribute is also taken into account.
It Happens that bots follow the locations excluded, but respect the entry indexation.
If it seems to you that the indexation of contracts is impossible.
Example Request for Google:
allinurl: layout details order_number (http://www.google.pl/#sclient=psy-ab&q=allinurl:+layout+details+order_number&oq=allinurl:+layout+details+order_number&gs_l=hp.3...6383.6731.3.7297.3.3.0.0.0.1.161.397.0j3.3.0...0.0...1c..17.psy-ab.M7JNzQtN4AY&pbx=1&bav=on.2,or.r_qf.&bvm=bv.47883778,d.Yms&fp=855329201f0b86bf&biw=1366&bih=628)
Hello
This looks like disaster in the happening. Here are orders from several Virtuemart websites, fully visible out in the open.
How can we stop this from beeing googled ? To me this looks like is a serious security issue, at least a serious privacy issue.
Thanks You RedJohn for bringing attention to this.
Jörgen @ Kreativ Fotografi
Quote from: RedJohn on June 19, 2013, 09:07:34 AM
robots.txt file is taken into account by the respected search engine such as Google.
and? I told you that robots.txt is useless in your case
wonna block google on orders web page? use one of seo extensions from joomla.org
I can't see that choosing and utilizing one of such extensions is a disaster anyhow
I think it is so serious that it should be implemented in the source VM.
You can recommend a plugin?
Maxim :-
No one should have to implement a third party SEO plugin, that does not make sense. (Read the hundreds of post regarding how well VM is designed to do a good job for seo)The VM team should address this as a matter of urgency to prevent such disclosure!
- How/why is it happening
- What can be done now to prevent it happening/access
- Long term solution
Disclosing personal information to third parties is illegal in most countries, without even considering the reputational and risk issues for any large trader.
QuoteYou think that google could try to hacke the orders?
No Milbo, but I know a there will be many dubious people who will exploit it instead!Nice for third party fraudsters to get hold of:-
Full email
Full Address
Phone number
And be certain that this problem will be on the bulletin boards in no time!
Quote from: Jörgen on June 19, 2013, 09:42:33 AM
This looks like disaster in the happening. Here are orders from several Virtuemart websites, fully visible out in the open.
Hmm? No, the orders are protected by a login name ( the order number) and a password (the order password). If you think that google tries to hack your account, then you can say "It is a disaster, the backend of joomla is fully visible". No it is not.
In case you use vm2.0.4 or lower, yes there is a bug so that you can reveal the order info, but not later.
We can discuss to add a blocking feature, which blocks every IP for an hour which tried it 5 times. We can make the password longer, but people will hate it.
We can add a tracking feature, which keeps track of all strange actions. When someone tries to login the Backend with wrong name/password. When someone tries to login joomla and when someone tries to see the orders.
If you consider passwords as unsecure, then I just can tell you nothing is secure.
Milbo
So is it the case that this cannot happen in Vm 2.0.21e
and that these cases are dut to an older release of VM 2?
How does google crawl such urls??
It is the same like /administrator,....
What Red John means is just that you can reach the orders with domain.pl/index.php?option=com_virtuemart&view=orders&layout=details&order_number=013408&order_pass=xxxxx,
But the order_number and the order_pass must fit to eachother. So what he fears is that google sees domain.pl/index.php?option=com_virtuemart&view=orders&layout=details and then tries any order_number and password.
So in general he fears that the combination of order_number and order_pass ist not safe enough. But the usual order_number has at least two random chars in it and the password 5. So we have 7 chars, this are ~62 power 7 possibilities or = 3 521 614 606 208. Lets assume every request takes 300 ms. So for an attack with 50% chance you need 0.3s * 1760807303104 = 528242190931,2 seconds, or 146733941,92 hours, or 16750 years.
There maybe an error in my calculation, but if you have 800 years or 16750, I think there is no difference. We consider things as safe, when an attack with 50% chance needs longer than 20 years. We can increase the length of hte order_pass, then we have 218 340 105 584 896 possibilities and it would still not hacked if someone started the last ice age ;-). Consider that attacks on a server are not done like with your zip. You can attack an encrypted file maybe 5k times per second. Not 4 times like a php interface.
It's not about breaking the code and its strength.
It's about google index content.
Much helped by the addition of
"<meta name="robots" content="noindex, noachive" />"
Why these pages appear in google?
In my opinion:
1 Therefore, it is permitted that indexing and cache.
2 Perhaps the extras plugins in Virtuemart, browser plug-ins, code tracking, statistics.
Tracking code runs on virtually every page (eg statistics).
Tracking code and other extras get on the site and send it to the index.
I am entering the name and surname does not want to eg google was like a tray that I bought, where and when.
Again, sorry for my English.
I hope you understand me;)
how should google find it? How do you access the order data without knowing the password?
Are you saying that because you have google analytics running
Google will index/crawl the url when a customer visits the page.
Just because it has reported it to analytics?
google somehow went to these addresses.
Probably the GA tracking code.
Or someone inadvertently turned on a website somewhere publicly bot placing a link to the data that are sent with GET method.
It's enough to make the website was in the index.
stated the earlier example, I do not know the password, google showed it to me.
click (http://www.google.pl/#sclient=psy-ab&q=allinurl:+layout+details+order_number&oq=allinurl:+layout+details+order_number&gs_l=hp.3...6383.6731.3.7297.3.3.0.0.0.1.161.397.0j3.3.0...0.0...1c..17.psy-ab.M7JNzQtN4AY&pbx=1&fp=1&biw=1366&bih=628&bav=on.2,or.r_qf.&cad=b)
To protect yourself a little before indexation enough in the file:
"\ components \ com_virtuemart \ views \ orders \ view.html.php"
add a line of about 46 just below:
$ document = JFactory :: GetDocument ();
line:
$ document-> setMetaData ('robots', 'noindex, noarchive, nofollow');
and upload the file to the server.
Now, if by chance a bot will go to a page that it should not appear in the index.
To avoid problems, We can also take note of our plugins.
It seems to me that Hotlinking (eg from a template or modules) can affect a password that can be read on hotlink server in variable HTTP_REFERER
You can also disable statistics (eg Google) for these pages by placing the condition:
if (empty($_GET['order_pass']))
{
Here the tracking code.
}
ahh, now I get it. Google is tracking people and archiving every link they visit? could it be?
Okey, we added now to the orders and users view
$document = JFactory::getDocument();
$document->setMetaData('robots','NOINDEX, NOFOLLOW, NOARCHIVE, NOSNIPPET');
I think the problem comes when google is following people visiting their own user account. Then an order list is generated and the access is done via the anonymous links. We need to change it here, so that it shows the order links for registered people.
Also in the BE we have this links, because if you want to print in the BE, you dont want that you must be logged in, in the FE.
Thank you RedJohn. I also noticed that there are only 300 hits with google and for example our own store is not listed, so there must be something what the people installed, or so.
Quote from: Milbo on June 19, 2013, 18:07:41 PM
ahh, now I get it. Google is tracking people and archiving every link they visit? could it be?
Yes, I think it is very possible :)
I have examined these sites, which were by chance in google and did not find links leading directly to them. So, theoretically, should not be indexed (on this principle operates SEO).
So why google knows about them? ;) ;)
The reasons can be many, even tracking code.
Or just plain plugin in Firefox to check the page rank of the page you are on. And Google has just a new link to INDEX.
It can by plugin alexy (alexa page rank), or many other plugins, even modules joomla.
you may test the new version http://forum.virtuemart.net/index.php?topic=115877.msg390380#msg390380
Quote from: Milbo on June 19, 2013, 20:45:09 PM
you may test the new version http://forum.virtuemart.net/index.php?topic=115877.msg390380#msg390380
Currently I have a 2.0.18 satble varsion. A modified version much for me.
Update securely overwrite my changes. Therefore, I do only important updates, because then I have to adjust a lot again for myself. Whether it is a fairly stable version?
Quote from: Milbo on June 19, 2013, 14:58:12 PM
how should google find it? How do you access the order data without knowing the password?
Milbo,
I believe this "security bug" still exists in later versions of VM. I'm using Joomla 2.5.17 and VirtueMart 2.0.26a. Any user who has another users link for "View My Orders" does not need to enter a username / password (or order ID or Secret password) to view the respective user info.
In my situation, a user makes a purchase and then forwards the invoice email to their IT staff to download install the purchased software (they bought on our Virtuemart site). When this 3rd party has the email and clicks "View Orders Online" they are not even presented with a login request, they can see all the order details, as well as have ability to download the virtual product WITHOUT LOGGGING IN. This being the case, I'm certain that bots (let's leave Google out of this example) will eventually crawl these unrestricted user order details which presents a confidentiality issue as well as security issue.
Can somebody please advise??? I have a client whose site went live today and it's frightening to think anyone with the URL can blindly access other user details. Granted most people (users) will not forward their invoice emails to another 3rd party, but the fact this security hole exists is enough to make me scrap weeks of work and not use VirtueMart until fixed.
PLEASE HELP!
Xristo there is a misunderstanding
The link in the email keeps the "login" data for "not registered" users. So it does NOT reveal the userpassword. It just gives direct access (protected by the order password) to the order.
if someone is sending his email to a 3rd party, so that they should be able to access the order (to download), then of course they have also access to the rest.
Quote from: Milbo on January 14, 2014, 19:10:20 PM
Xristo there is a misunderstanding
The link in the email keeps the "login" data for "not registered" users. So it does NOT reveal the userpassword. It just gives direct access (protected by the order password) to the order.
if someone is sending his email to a 3rd party, so that they should be able to access the order (to download), then of course they have also access to the rest.
That makes sense but my concern or problem is that is does not ask for the order password, it just provides direct access. But thank you for clarifying the functionality as I somewhat understand the reasoning behind the coding.
Is it safe to assume that the VM team has taken action to prevent indexing of these URLs with the Order Number and Order Passwords hard coded?
On a side note, since you mostly read and respond to users complaints or misunderstanding...
THANK YOU for providing a great product that VirtueMart is and thank you for taking your time to respond to these forums. Keep up the wonderful work!
Yes. This posts had the problem as topic, that somehow these links inclusive password got listed. Even it is only provided in the email. To underline, only with the order password. We added a nofollow and similar and the problem seems solved. But google will still know, similar to NSA. You can remove this link in the email, but if the email is not safe, it is hard to shop secure.
But most people do not really care if a policeman see that they buy some clothes in a store. Just create an orderview and try to access the order view, without being logged in. Then you see a login by ordernumber and password. Both is quite unguessable, usually.
and thanks for the thumb up. Please review us then http://extensions.joomla.org/extensions/e-commerce/shopping-cart/129