News:

Looking for documentation? Take a look on our wiki

Main Menu

Security - order detail disclosure to thir parties

Started by RedJohn, June 14, 2013, 11:06:44 AM

Previous topic - Next topic

RedJohn

#15
google somehow went to these addresses.
Probably the GA tracking code.
Or someone inadvertently turned on a website somewhere publicly bot placing a link to the data that are sent with GET method.

It's enough to make the website was in the index.

stated the earlier example, I do not know the password, google showed it to me.
click



To protect yourself a little before indexation enough in the file:

"\ components \ com_virtuemart \ views \ orders \ view.html.php"

add a line of about 46 just below:

$ document = JFactory :: GetDocument ();

line:

$ document-> setMetaData ('robots', 'noindex, noarchive, nofollow');

and upload the file to the server.


Now, if by chance a bot will go to a page that it should not appear in the index.
To avoid problems, We can also take note of our plugins.
It seems to me that Hotlinking (eg from a template or modules) can affect a password that can be read on hotlink server in variable HTTP_REFERER


You can also disable statistics (eg Google) for these pages by placing the condition:

if (empty($_GET['order_pass']))
{
Here the tracking code.
}

Milbo

ahh, now I get it. Google is tracking people and archiving every link they visit? could it be?
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Milbo

Okey, we added now to the orders and users view


$document = JFactory::getDocument();
$document->setMetaData('robots','NOINDEX, NOFOLLOW, NOARCHIVE, NOSNIPPET');


I think the problem comes when google is following people visiting their own user account. Then an order list is generated and the access is done via the anonymous links. We need to change it here, so that it shows the order links for registered people.
Also in the BE we have this links, because if you want to print in the BE, you dont want that you must be logged in, in the FE.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Milbo

Thank you RedJohn. I also noticed that there are only 300 hits with google and for example our own store is not listed, so there must be something what the people installed, or so.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

RedJohn

#19
Quote from: Milbo on June 19, 2013, 18:07:41 PM
ahh, now I get it. Google is tracking people and archiving every link they visit? could it be?

Yes, I think it is very possible :)
I have examined these sites, which were by chance in google and did not find links leading directly to them. So, theoretically, should not be indexed (on this principle operates SEO).
So why google knows about them? ;) ;)

The reasons can be many, even tracking code.
Or just plain plugin in Firefox to check the page rank of the page you are on. And Google has just a new link to INDEX.
It can by plugin alexy (alexa page rank), or many other plugins, even modules joomla.

Milbo

Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

RedJohn

Quote from: Milbo on June 19, 2013, 20:45:09 PM
you may test the new version http://forum.virtuemart.net/index.php?topic=115877.msg390380#msg390380

Currently I have a 2.0.18 satble varsion. A modified version much for me.
Update securely overwrite my changes. Therefore, I do only important updates, because then I have to adjust a lot again for myself. Whether it is a fairly stable version?

xristo

Quote from: Milbo on June 19, 2013, 14:58:12 PM
how should google find it? How do you access the order data without knowing the password?

Milbo,

I believe this "security bug" still exists in later versions of VM. I'm using Joomla 2.5.17 and VirtueMart 2.0.26a. Any user who has another users link for "View My Orders" does not need to enter a username / password (or order ID or Secret password) to view the respective user info.

In my situation, a user makes a purchase and then forwards the invoice email to their IT staff to download install the purchased software (they bought on our Virtuemart site). When this 3rd party has the email and clicks "View Orders Online" they are not even presented with a login request, they can see all the order details, as well as have ability to download the virtual product WITHOUT LOGGGING IN. This being the case, I'm certain that bots (let's leave Google out of this example) will eventually crawl these unrestricted user order details which presents a confidentiality issue as well as security issue.

Can somebody please advise??? I have a client whose site went live today and it's frightening to think anyone with the URL can blindly access other user details. Granted most people (users) will not forward their invoice emails to another 3rd party, but the fact this security hole exists is enough to make me scrap weeks of work and not use VirtueMart until fixed.

PLEASE HELP!

Milbo

Xristo there is a misunderstanding

The link in the email keeps the "login" data for "not registered" users. So it does NOT reveal the userpassword. It just gives direct access (protected by the order password) to the order.

if someone is sending his email to a 3rd party, so that they should be able to access the order (to download), then of course they have also access to the rest.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

xristo

Quote from: Milbo on January 14, 2014, 19:10:20 PM
Xristo there is a misunderstanding

The link in the email keeps the "login" data for "not registered" users. So it does NOT reveal the userpassword. It just gives direct access (protected by the order password) to the order.

if someone is sending his email to a 3rd party, so that they should be able to access the order (to download), then of course they have also access to the rest.

That makes sense but my concern or problem is that is does not ask for the order password, it just provides direct access. But thank you for clarifying the functionality as I somewhat understand the reasoning behind the coding.

Is it safe to assume that the VM team has taken action to prevent indexing of these URLs with the Order Number and Order Passwords hard coded?

On a side note, since you mostly read and respond to users complaints or misunderstanding...

THANK YOU for providing a great product that VirtueMart is and thank you for taking your time to respond to these forums. Keep up the wonderful work!

Milbo

Yes. This posts had the problem as topic, that somehow these links inclusive password got listed. Even it is only provided in the email. To underline, only with the order password. We added a nofollow and similar and the problem seems solved. But google will still know, similar to NSA. You can remove this link in the email, but if the email is not safe, it is hard to shop secure.

But most people do not really care if a policeman see that they buy some clothes in a store. Just create an orderview and try to access the order view, without being logged in. Then you see a login by ordernumber and password. Both is quite unguessable, usually.

and thanks for the thumb up. Please review us then http://extensions.joomla.org/extensions/e-commerce/shopping-cart/129
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/