Order details and invoice are public and searcheable in Google

Started by acuabit, January 10, 2017, 13:39:47 PM

Previous topic - Next topic

acuabit

Hello.

We have the following problem. I block all permissions for Public and user must register for buy, but order details and invoice are public and searcheable in Google. You can check if put following URL for example: http://www.parapandaecorock.com/index.php?option=com_virtuemart&view=invoice&layout=invoice&tmpl=component&virtuemart_order_id=92&order_number=LUBB076&order_pass=p_soNmwxeK

Can someone help me please?


finngu

We have the same problem!
When searching on Google for "ftsu bestilling" you get this:

https://www.google.dk/search?q=ftsu%20bestilling&oq=ftsu%20bestilling&aqs=chrome..69i57.6984j0j8&sourceid=chrome&ie=UTF-8

The first 2-3 hits are actual live invoices from our webshop.........

I really need to find out how to solve this!?!

I hope someone can send us in the direction what to do?

Thanks
Finn


finngu

Quote from: acuabit on January 10, 2017, 13:39:47 PM
Hello.

We have the following problem. I block all permissions for Public and user must register for buy, but order details and invoice are public and searcheable in Google. You can check if put following URL for example: http://www.parapandaecorock.com/index.php?option=com_virtuemart&view=invoice&layout=invoice&tmpl=component&virtuemart_order_id=92&order_number=LUBB076&order_pass=p_soNmwxeK

Can someone help me please?

Have you found a solutions for this?
We have the same problem.....

Finn

Milbo

you provide the order password within the link and so you can open the order. We hardened this part a bit, you may install http://dev.virtuemart.net/attachments/download/1029/com_virtuemart.3.0.18.6_extract_first.zip
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

WERK70

Hi,

today we were asked to have a look at a VM shop with the same problem.

The shop was running on 3.16. We updated to 3.18. Is that issue solved or do we have to take further steps?

thanks
Frank

AH

WERK70

You need to test this all for yourself - maybe the joomla site was hacked and ACL is incorrect?

Regards
A

Joomla 4.4.5
php 8.1

quintangai

We have the same issue in our shop, ang googling any existing email on any customer and clicking on the google search links resulted that mention our shop get directly to the orders or print pdf invoices without asking to log in...  we find this as being a huge whole for confidenciality...

any fix for this ?

regards

quintangai

sorry I forgot to mention that we have last versions of joomla 3.6.5 and VM 3.0.18 running on a shared server with php 5.6
on how force any VM entering to be logged in will be much appreciated....
or if there is a patch for only the ones who worry about this ??

any comments will be much appreciated

jenkinhill

You must check your ACL settings.

Many websites that did not get updated to Joomla 3.6.4 and then to 3.6.5 within a suitably short time ( even a few minutes) of the release of the official patches were at risk of being hacked, as the method of hacking was also released on the net at the same time (or even slightly before) the official patch release time.  I have had to repair some sites that had been hacked, in two cases they were updated supposedly within one hour of the patch release but still got hacked. One of the hacks we have seen was to allter Joomla ACL settings, so please check this, just in case.
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

AH

QuoteWe have the same issue in our shop, ang googling any existing email on any customer and clicking on the google search links resulted that mention our shop get directly to the orders or print pdf invoices without asking to log in...  we find this as being a huge whole for confidenciality...

any fix for this ?


NOTE

VirtueMart does NOT allow such a feature by default.  From a privacy perspective it would be ridiculous for it to do so!

Therefore there is something within your settings of Access Control managed by Joomla that is allowing access to administrator/manager or registered users functionality by non registered users. 

You can read more about it here

https://docs.joomla.org/J3.x:Access_Control_List_Tutorial

If you do not know what I am talking about - or have never set any ACL settings in Joomla then it is very likely that you were subject to a security exploit.

https://www.joomla.org/announcements/release-news/5693-joomla-3-6-5-released.html

There is no VM patch for any of this - it was/is not a VM issue.

Please review your current installation, assuming that there is something wrong with this - because VM does not allow access to user data by any user, regardless of the version.
Regards
A

Joomla 4.4.5
php 8.1

aftertaf

just out of curiosity and for clarifying...
If impacted by this, the problem would be that the different ACLs for items in the virtuemart entry on Global Configuration have incorrect settings (due to hack, exploit, etc...)?
@jenkinhill, you said "One of the hacks we have seen was to allter Joomla ACL settings, so please check this, just in case." - for virtuemart, or for each and every entry on the left panel of Global Configuration... ?
thanks
david

jenkinhill

Each and every ACL option was green on the website we saw, and there were 8 users listed with administrator access who had not been added by the site superuser. We have no idea exactly how this was done, but the database must effectively have been accessed/altered and the whole site compromised. The only option was to revert to an earlier backup, and update Joomla and extensions on localhost before publishing to the live server. This was not a VM site, so there was no possibility of orders being lost etc. It was only spotted by the owner because the edit symbol showed on FE articles and modules without being logged in.
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Studio 42

Stop
Quote from: K&K media production on January 10, 2017, 18:23:58 PM
There is nothing listed on google.

https://www.google.de/search?num=50&q=www.parapandaecorock.com%2Findex.php%3Foption%3Dcom_virtuemart%26view%3Dinvoice&oq=www.parapandaecorock.com%2Findex.php%3Foption%3Dcom_virtuemart%26view%3Dinvoice

Search result in cache:
http://webcache.googleusercontent.com/search?q=cache:4qoKqg1JsycJ:www.parapandaecorock.com/index.php%3Foption%3Dcom_virtuemart%26view%3Dinventory%26tmpl%3Dcomponent%26manage%3D1&num=1&hl=fr&gl=fr&strip=1&vwsrc=0

Each time someone reported me such problem you find some working links and this mean that someone hacked the site or you update from a old Vm release and the ACL was not set on update.

I think that orders that have a valid Joomla user should not be accessible from direct link, this prevent already some hacks if you don't use anonymous order.

All order page links should be set to rel="no follow"
and head meta
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
So you have not your orders displayed in google or other search bots that respect some rules.

WERK70

Good morning,

we checked the ACL and as predicted it was compromised. Lots of users that should not be there. Some of them and some customers were labled as administrators and superusers. Even the password for the dB has been changed.

As we don't run this site on our own nor do we update this site and the site owner doesn't want to pay a cleaning, we'll pass the problem back to the site owner.

thank you for the information.

Frank