Kryptronic Software Support Forum

You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.

#1 09-06-2007 08:28:15

gabriela
Member
Registered: 03-16-2007
Posts: 20

Serious security issue

A customer has just reported a serious security issue with CCP6.
The customer is registered with our website wwwcollarways.co.uk. When she clicked on 'Your Account', end entered her password, she was logged into someone elses account. She then realised that the email address field had been pre-populated with someone else's email address (another customer), they happened to have the same password.

While I realise that it's rare that people have the same password, I still think it's a security risk to have the email field pre-populated with someone else's email address. This lady does not shop from a public computer, so it's not a cookie issue. Furthermore, when we did the same here on our machine, the same email address that the lady reported was pre-populated, also appeared in our login email address field.

I would appreciate someone helping me here as soon as possible, as I feel otherwise I have to shut down the site for the time being.

Thanks you, Gabriela

Offline

 

#2 09-06-2007 08:38:41

GreenbarnWeb
Banned
Registered: 09-23-2003
Posts: 2743
Website

Re: Serious security issue

Hi

This is not a security problem with CCP6.

The cause of this type of problem is that the customers are given the same session ID from a link:
Eg the link has an sid= in it.

We had customer send this type of link in emails, on Google ads etc.

Offline

 

#3 09-07-2007 08:51:03

gabriela
Member
Registered: 03-16-2007
Posts: 20

Re: Serious security issue

Hi Howard,
While I understand what you're saying, it still doesn't make sense.
Firstly, the lady found our site via Google, not from somebody else's link.
I also just did a test:
I went to the site on our PC/Internet Explorer, on Account login it showed my email address gabriela@collarways.co.uk. I closed the browser.
Then I emptied all cache/history in my browser on our Mac, Safari. I then went to the home page, clicked on Account login and it showed my email gabriela@collarways.co.uk
I changed the email to my other address gl@dokumenta.co.uk and logged in with the appropriate password. Then I logged out again.
I then went back to the PC, started IE and went to the home page. clicked on Account login and it now shows the last logged in email address gl@dokumenta.co.uk
And also, when I go to KHXC admin, the email login field always seems to show email address of the last person who logged into the system, even it that person was a customer!

Is this something that's only happening in our installation of CCP6? And if so, is there a configuration that's wrong that I need to change.

I would appreciate if you could give this some further consideration. Many thanks,

Gabriela

Offline

 

#4 09-07-2007 10:24:15

Dave
Member
Registered: 07-05-2003
Posts: 11233

Re: Serious security issue

Sounds like your browser is capturing data and trying to plug it into fields it thinks are appropriate.  Clearing your cache and history won't stop it from remembering what you last used as that information is tied to a session ID which is stored in a cookie.  You'd have to remove your cookie also to have it look like a new/fresh customer visiting your site.

You could also install another (better) browser such as FireFox or Opera and use one of them for testing

Offline

 

#5 09-07-2007 10:42:15

ZipSkins
Member
From: United Kingdom
Registered: 01-15-2006
Posts: 822
Website

Re: Serious security issue

Dave wrote:

You could also install another (better) browser such as FireFox or Opera and use one of them for testing

What Dave's trying to say is that IE is rubbish and you should never use it ever, ever , ever , ever... big_smile


| Professional Quality Customisable Skins for your ClickCartPro Powered Site


-----------------------------
Certified Support Partner

Offline

 

#6 09-07-2007 16:23:29

Dave
Member
Registered: 07-05-2003
Posts: 11233

Re: Serious security issue

Dave was TRYING to be nice (and gentle) smile smile smile

Offline

 

#7 09-09-2007 03:46:58

gabriela
Member
Registered: 03-16-2007
Posts: 20

Re: Serious security issue

Actually I do have Firefox on the PC too, but I guess we can still assume that the majority of users will have IE - whether it's rubbish or not :-).
I'm still puzzled, but I certainly believe you that what I thought was an issue, isn't one. Particularly as nobody else seems to experience anything that suggests a security issue. I guess the incident that our customer was able to log into another customers account (no relation between the two customers what so ever) and was able to see their address details and order history was a totally isolated event.

Thanks for your help. Gabriela

Offline

 

#8 10-09-2007 10:25:53

scottc
Member
Registered: 08-06-2007
Posts: 93
Website

Re: Serious security issue

I have had a similair problem on this today. I will explain:

I was having a few problems with the HSBC process gateway, i went through the payment system etc. siging in with my email address and password, as i could not solve the problem (not related to this thread) i rang HSBC (which i found out from the guy i spoke to are based in Calcutta, India). I asked him to test the site out at his end. When he went through to sign in, the email address i had just used to log in was showing on his screen. He has never been to my site before. I am not quite sure how that could happen. I gave him the standard URL and he typed it in his browser.

The only possibly thing i can think of is how i have my index.htm page set up. I basically took a copy of the index.php source code page and created a html page and pasted in the code and then uploaded it as my index page. Could this be what is causing the problem or is it something else?

any help would be appreciated.

Thanks

Scott

Offline

 

#9 10-09-2007 10:45:00

GreenbarnWeb
Banned
Registered: 09-23-2003
Posts: 2743
Website

Re: Serious security issue

Hi

Your secure link in the index page have a sid= in them eg Checkout link. This will make all your customers who click those into the same session id.

Add this to you .htaccess to take your customers direct to ccp6

Code:

RewriteRule ^$ /khxc/index.php

Offline

 

#10 10-09-2007 10:48:58

scottc
Member
Registered: 08-06-2007
Posts: 93
Website

Re: Serious security issue

Thank you Howard for the quick response.

I have put it in and hopefully it will do the job.

Scott

Offline

 

#11 08-04-2008 10:04:42

christine
Member
Registered: 05-09-2008
Posts: 47

Re: Serious security issue

help my customers can get into my account, after looking at this thread I added the rule to the .htaccess file and then the cart was totally inaccessible.  The customer who rang me said she clicked on the review online orders and my order history was there and she was logged in as me.  Obviously this is not acceptable  can someone please help.

Offline

 

#12 08-04-2008 10:13:07

Dave
Member
Registered: 07-05-2003
Posts: 11233

Re: Serious security issue

As was mentioned earlier in this thread, check your site carefully for a hard coded link that includes a SID (session ID) in it.

Offline

 

#13 03-24-2009 10:19:30

soycandl
Member
Registered: 02-18-2009
Posts: 51

Re: Serious security issue

I'm having the same problem with my customers emails showing when I try to log in..  Where EXACTLY do I put the
Add this to you .htaccess to take your customers direct to ccp6

Code:
RewriteRule ^$ /khxc/index.php code?

???? 

Thanks
Teri

Offline

 

#14 03-24-2009 10:28:25

Dave
Member
Registered: 07-05-2003
Posts: 11233

Re: Serious security issue

You add it to your .htaccess file which will be in the root directory of your site.  But you need to search through your site and find the link that has a sid= in it and remove it.  That's the source of the problem in the first place.

Offline

 

#15 05-05-2009 22:59:34

Anthonypi
Member
Registered: 12-10-2008
Posts: 57

Re: Serious security issue

If  a user sends  a link to someone in an email or, google indexes a page,  and it has an sid in the query string in the url... then  when the user sent the link goes to the store ,,they are loggied in and looking at my cart!!
That is not ok!! Is there a patch for this?

Last edited by Anthonypi (05-06-2009 02:46:48)

Offline

 

#16 05-06-2009 09:11:07

cyberws
Member
From: Atlanta, GA
Registered: 02-05-2004
Posts: 756

Re: Serious security issue

I think Nick needs to stop using sid in the URL and store that only in a cookie where it can be grabbed.  To many people get tripped up in simply visiting a link then copying it from their browser session and pasting it in the theme and/or emails.  If this value was stored in a cookie this would totally stop these problems and confusions.  Let's face it very few people don't have cookies on and if you want to surf the net and do anything you need them on.


Jeremy O

Production CCP .:. Version 6 w/QuickBuy and many in house hacks
Skills: PHP & Perl programming, Solaris & Linux server administration, Oracle OCP training and MySQL experience

Offline

 

#17 05-06-2009 09:33:15

Dave
Member
Registered: 07-05-2003
Posts: 11233

Re: Serious security issue

cyberws wrote:

I think Nick needs to stop using sid in the URL and store that only in a cookie where it can be grabbed.

There's no choice really on the initial entry to a site.  Once a person navigates past the first page of a site the SID is carried in a cookie.  It is impossible to set and check a cookie with a single visit to a page.

cyberws wrote:

If this value was stored in a cookie this would totally stop these problems and confusions.

See above.  The SID is carried in a cookie.  The first page of a site has to have the SID show up in the links though for the reason stated above.

cyberws wrote:

Let's face it very few people don't have cookies on and if you want to surf the net and do anything you need them on.

I disagree.  More and more people keep cookies disabled and only enable them for specific sites to do specific things.

Offline

 

#18 05-06-2009 11:40:08

cyberws
Member
From: Atlanta, GA
Registered: 02-05-2004
Posts: 756

Re: Serious security issue

Well I have to say I disagree.

First off most sites set cookies when you visit like Google, Facebook, Amazon, Newegg, etc.  These cookies are set when the site loads (if its a first time visit otherwise usually read obviously) then on the next page the information is grabbed.  You don't see Amazon, Newegg, etc encoding this information into their URLs hence their use of cookies (and how almost all software on the net works).

As for the other item very few people mess with cookies.  Most users aren't that familiar with the settings to do so - now they may clear them using some kind of push button privacy cleaner that does it for them.  If one turns off cookies (just like Javascript) the net becomes pretty useless.  Again see Amazon, Newegg, Weather.com, Facebook, etc, etc.  People don't like the Windows Vista User Control because it constantly nags them to "Allow, Disallow" an action.  Users don't want to go through that and again most people rarely touch default settings and all browsers (at least all the major ones like IE, Mozilla, Chrome, etc) default to allow cookies.

Even security software allows cookies like Webroot, McAfee, Symantec, etc.


Jeremy O

Production CCP .:. Version 6 w/QuickBuy and many in house hacks
Skills: PHP & Perl programming, Solaris & Linux server administration, Oracle OCP training and MySQL experience

Offline

 

#19 05-06-2009 20:33:57

Anthonypi
Member
Registered: 12-10-2008
Posts: 57

Re: Serious security issue

Cyberws..Agreed... and the security issue is much more of a problem than the fact that one or two users don't have cookies enabled.
the way the cart uses the sid currently is unacceptable period. The risk of email sent links and search engines pulling pages with the sid in it is just
to  much of an issue. I will be writing a patch for this and have the cart handle the session totally different. At the very least I cant have a cart pulled to the page from a link coming from wherever. I'll post my patch when it is done. Thanks

Offline

 

#20 05-07-2009 11:35:41

cyberws
Member
From: Atlanta, GA
Registered: 02-05-2004
Posts: 756

Re: Serious security issue

That isn't a bad idea Anthonypi.  As you surf around the net and pay attention to URLs there rarely is any session id call but if you view a cookie you will usually see some kind of data.  If Nick is against cookies fine use PHP sessions which each visitor will be given a unique session and Nick can store the sid in the session which would stop the sid call in the URL.

I totally agree relying on the user to bring specific technologies always poses some uncertainty.  Still cookies and javascript are just part of the web and a safe technology to use.  I mean just look at the sites using AJAX (need Javascript) and just running a Google search uses cookies.  So lets face it cookies are just part of the web besides most surfers are like cookie what?  Do you mean Oreos?

Last edited by cyberws (05-07-2009 11:36:44)


Jeremy O

Production CCP .:. Version 6 w/QuickBuy and many in house hacks
Skills: PHP & Perl programming, Solaris & Linux server administration, Oracle OCP training and MySQL experience

Offline

 

#21 05-08-2009 01:50:19

auntyollie
Member
Registered: 03-21-2009
Posts: 3

Re: Serious security issue

Issue.  No sid='s (checked google numerous times).  No sid= in the mysql databases.   No sid= in splash.php skin.php etc I cleaned out the sessions and order ids (as per a different post) and it still happens.  I guess you'll tell me how I am wrong and there is a sid= somewhere....

Offline

 

#22 05-14-2009 11:32:21

mickyharris
Member
Registered: 03-30-2009
Posts: 16

Re: Serious security issue

Opinion.

Why the sudden silence from Kryptronic/Greenbarn? I've just put this software live for a client and now this is worrying me, this does look like a serious security flaw and we shouldn't have to rely on the goodwill of members like Anthonypi to put things right.

Come on Kryptronic, let's have an honest response about this rather than batting the members off and hoping it will go away.

Offline

 

#23 05-14-2009 12:21:35

Dave
Member
Registered: 07-05-2003
Posts: 11233

Re: Serious security issue

There hasn't been any "sudden silence" from anyone.  There is not a security issue and, by default, a logged in user SID exists for 15 minutes.  There's a 1 in 360,000,000,000,000,000,000,000,000,000 chance of cracking things and it would have to be done within that 15 minute window.

Offline

 

#24 05-14-2009 13:11:25

Brett2000
Member
Registered: 05-11-2009
Posts: 4

Re: Serious security issue

Hi,

Curious about this:
> There is not a security issue and, by default, a logged in user SID exists for 15 minutes. 

Are you saying if someone copies a link (with SID in the url), they can send it to someone else, and the session is active for 15 minutes, so they could click that link and be logged in as that user? 

I don't see how this is not a security issue, that's a huge privacy problem with people having their addresses and orders in their account.  I've not yet purchased CCP, but I'm considering it seriously, I would like to know how this will be solved (back to version 6.x)?  I currently use Miva cart and there is never an issue like that, I mention it only because Miva also uses SessionID's, but within it's own scripting language (MivaScript), there is an option in the cart to let the cart run with Sessions and with Cookies (as a backup), or to turn cookies off completely and just run with sessions, so I'm sure in that code somewhere is a solution to how to do this - my guess is that you look at the IP address of the user, or even consider storing something like the Computer Mac address, or hardware id?

Thanks,
-Brett

Offline

 

#25 05-14-2009 13:19:55

Dave
Member
Registered: 07-05-2003
Posts: 11233

Re: Serious security issue

Brett2000 wrote:

Are you saying if someone copies a link (with SID in the url), they can send it to someone else, and the session is active for 15 minutes, so they could click that link and be logged in as that user?

No.  They would have to be using the same machine that the previous person was using (if there's a mismatch between the SID and the cookie data a new session is created).

Brett2000 wrote:

my guess is that you look at the IP address of the user, or even consider storing something like the Computer Mac address, or hardware id?

People behind proxy servers, AOL is probably the largest group of those, will all look like they have the same address.  Dynamic connections, virtually the rest of the connected world, may change at any time.  Hardware level details are never available to a browser.

Offline

 

Board footer