login.php - SSL handling

[mb000000]

VM 2.0.14

I can't help but feel I've missing something and am about to make a big fool of myself, but then again, so what, no harming in asking or checking (no, I didn't find any relevant forum posts), eh?

As I am attempting to gain PCI compliance for a site, it is being externally tested against "known" vulnerabilities.  This is a fraught game, I can tell you, but if you'd been through it yourself, you already know this.  One of the many things about my environment that has come to light is the handling of the VM login "process", namely the form that components/com_virtuemart/views/user/tmpl/login.php displays for logging in.  In VM 2.0.14, I'm talking about the HTML on line 112:

Code Select Expand

<form action="<?php echo JRoute::_('index.php'); ?>" method="post" name="com-login" >The "problem" - as I see it - is that the action takes no account of the useSSL setting configured in the back end under Configuration / Shop / Shop Settings / Enable SSL..... As far as I can see, the effect is that when the already-registered user enters the username + password and clicks login, the details entered are POSTed in clear to the action URI regardless of the setting of useSSL (I have confirmed this using Wireshark, by the way).  I suggest that the HTML should be something like:

Code Select Expand

<form action="<?php echo JRoute::_('index.php', $this->useXHTML, $this->useSSL); ?>" method="post" name="com-login" >

Hope this makes sense

Mark

[Milbo]

Joomla login is secure even without ssl as far as I know. But for me it makes sense what you say.

It works for you that way?

[mb000000]

@Milbo

Yes, with the additions of useXHTML and useSSL, the URI generated by JRoute includes https://<site>/index.php.... such that the SUBMIT later in the form now submits via SSL.  Without the additions, the submit action is to the plain URI, which for most people will be (effectively) via HTTP as in index.php.....  There may be some people who have SSL always configured (I assume they have powerful servers or quiet sites).

You're right, the J1.5, J2.5 and J3.0 login process(es) use the equivalent of useSSL (see modules/mod_login/tmpl/default.php). Each version's equivalent is something like:

Code Select Expand

<form action="<?php echo JRoute::_('index.php', true, $params->get('usesecure')); ?>" method="post" id="login-form" class="form-inline">

Using Wireshark confirmed what I already "knew" that the SUBMIT would (and does) POST over HTTP and thus be in clear. 

There is also a reasonable argument for adding in useXHTML and useSSL in the earlier form generated in login.php catering for when a customer is anonymously logging in to look at an order - for consistency if for no other reason.  In VM2.0.14, the parameters supplied in that case are true and 0 in place of useXHTML and useSSL, respectively.

With these changes, by the way, I made the server pass the PCI compliance (after many other hoops had been jumped through as well I should add).

Thanks

Mark

[Milbo]

Added for vm2.1, the file is also compatible to vm2.0