Announcement

Collapse
No announcement yet.

Security Checkup Email

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Security Checkup Email

    I am not seeing a Scheduled Task for "Security Checkup". Where do we go to turn off the weekly email for the PA-DSS checklist review?

    #2
    It’s not a scheduled task and can not be turned off.
    Thanks,

    Rick Wilson
    CEO
    Miva, Inc.
    [email protected]
    https://www.miva.com

    Comment


      #3
      How long does one have to correct issues for tests that did not pass? Are there penalties or fees associated with these?
      Psydde Delicious
      Delicious Boutique & Corseterie
      Philadelphia, PA
      www.DeliciousBoutique.com
      www.DeliciousCorsets.com

      Comment


        #4
        There is no time limit or penalties, the email is informational only and designed to encourage "secure behavior" and let you know if something has become insecure since the prior email.
        Thanks,

        Rick Wilson
        CEO
        Miva, Inc.
        [email protected]
        https://www.miva.com

        Comment


          #5
          The docs should probably be updated because they indicate you can turn it off: https://docs.miva.com/miva-10-refere...cheduled-tasks

          Enabled: Check the Enabled checkbox to allow this task to run in your store. You can uncheck this box if you don't want the task to run, but you don't want to delete it.

          Also, for sites hosted with Miva, how do we fix the following items:

          1. Primary Database not Located on Web Server
          2. Private Key Database on Different Server Than Primary Database

          Comment


            #6
            You can have your database moved to a separate server via support request; keep in mind that if this is for a plan that is lower than enterprise level, that configuration will not allow for direct database access independent of Miva Merchant.
            David Hubbard
            CIO
            Miva
            [email protected]
            http://www.miva.com

            Comment


              #7
              David,

              that configuration will not allow for direct database access independent of Miva Merchant.
              Can you explain the ramifications of this beyond the obvious access of reading and writing from a module? I am getting direct questions about the PA-DSS checklist review email from clients and store owners that aren't my clients. I think I have accurate guesses, but I'd rather not guess even if I am correct.

              Thanks,

              Scott
              Need to offer Shipping Insurance?
              Interactive Design Solutions https://www.myids.net
              MivaMerchant Business Partner | Certified MivaMerchant Web Developer
              Competitive Rates, Custom Modules and Integrations, Store Integration
              AutoBaskets|Advanced Waitlist Integration|Ask about Shipping Insurance Integration
              My T-shirt Collection is mostly MivaCon T-shirts!!

              Comment


                #8
                Basically just means no tinkering with the database, even if just reading, outside of Miva Merchant, which 99% of the time is phpmyadmin. Modules that intentionally bypass Merchant's security framework, like "SQL query" modules that let people enter arbitrary database queries, even if read-only in theory, are equally problematic because it still provides access to data that may not otherwise have been available to the user in question, or may provide data that would normally require access logging, where such logging would then not occur. We're going to begin taking a harder stance on that type of module because it almost never involves the appropriate stakeholder in the business entity knowing and acknowledging the potential liability that is being created for them by someone adding such a module.
                David Hubbard
                CIO
                Miva
                [email protected]
                http://www.miva.com

                Comment


                  #9
                  Originally posted by Rick Wilson View Post
                  It’s not a scheduled task and can not be turned off.
                  Here's another thought - can it be configured to only be sent out if something fails?
                  Leslie Kirk
                  Miva Certified Developer
                  Miva Merchant Specialist since 1997
                  Previously of Webs Your Way
                  (aka Leslie Nord leslienord)

                  Email me: [email protected]
                  www.lesliekirk.com

                  Follow me: Twitter | Facebook | FourSquare | Pinterest | Flickr

                  Comment


                    #10
                    Hi David, I do have a couple of clients running modules that allow for arbitrary SQL queries written into template code. They only do SELECT queries, so they can't modify any data; but from what you wrote, apparently they can still be a violation. If I add a log-keeping feature to these modules, will that be sufficient? Or do I have to replace them with dedicated modules where the query is hard-coded?

                    In case it matters, I should mention that the queries generated by these modules don't use any input from the shopping pages; so no one but an admin user can access or modify them.

                    Thanks --
                    Kent Multer
                    Magic Metal Productions
                    http://TheMagicM.com
                    * Web developer/designer
                    * E-commerce and Miva
                    * Author, The Official Miva Web Scripting Book -- available on-line:
                    http://www.amazon.com/exec/obidos/IS...icmetalproducA

                    Comment


                      #11
                      If you're needing to retrieve data to a page template via direct query that is inaccessible because there is not an appropriate function, variable, etc., then it would be best to let us know that, the usage scenario, etc. and we can determine if there's a software improvement that could be made, an alternate and preferred way of access, or explain why such data should not be accessed in that manner.

                      Putting arbitrary SQL queries in a page template means a request to that template executes it, it's probably not a prepared statement, it didn't go through any of the testing/QA all of Merchant and its queries go through during the release cycle, it may or may not be database agnostic so it could break if Merchant's underlying DBMS is changed, you don't know who made the request, you can't log who made the request since you don't know who it was, a non-admin with user interface privilege could insert/alter/remove the code from a page template, bypassing the need for admin rights to get to data they should not see, so on and so forth.
                      David Hubbard
                      CIO
                      Miva
                      [email protected]
                      http://www.miva.com

                      Comment


                        #12
                        Hi David, I just did a search thru my files, and here are the cases where I used a module to create SQL queries from page templates. I always look thru the LSK before I write one of these. Without a custom query, they would require multiple library calls and/or code loops to filter the data down to what the client actually wants.

                        Several stores are using this one in page templates that generate reports of orders during a specified time period:
                        Code:
                        <mvt:assign name="l.settings:sql" value="'SELECT * FROM [s]Orders
                        WHERE (orderdate >=' $ g.startdate $ ') AND (orderdate <=' $ g.enddate $ ') ORDER BY orderdate'" />

                        Here's one for a client who wants a display on the shopping pages of all categories that are currently on sale.
                        Code:
                        <mvt:assign name="l.settings:on_sale:sql" value="'
                        SELECT p.id AS pgrp_id, p.name AS sale_name, p.dt_start, p.dt_end, c.*
                        FROM [s]PriceGroups p, [s]PriceGroupXCategory pxc, [s]Categories c
                        WHERE (pxc.pgrp_id = p.id) AND (pxc.cat_id = c.id)
                        AND (dt_start <= ' $ s.time_t $ ') AND ((dt_end = 0) OR (dt_end > ' $ s.time_t $ '))
                        ORDER BY c.name'" />

                        This one searches for a price group of the Product Discount type (module ID = 75) that's assigned to a category,
                        in order to extract the discount percentage for display.
                        Code:
                        <mvt:assign name="l.settings:sub_category:sql" value="'SELECT p.id, p.name, p.config
                        FROM [s]PriceGroups p, [s]PriceGroupXCategory pxc
                        WHERE (pxc.pgrp_id = p.id) AND (pxc.cat_id = ' $ l.settings:sub_category:id $ ') AND (p.module_id = 75)
                        AND (dt_start <= ' $ s.time_t $ ') AND ((dt_end = 0) OR (dt_end >= ' $ s.time_t $ '))'" />
                        <mvt:assign name="l.settings:limit" value="'999'" />

                        This one works with data from the Tess's Wait List module. The client wanted to be able to see all the wait-listed items on one page.
                        Code:
                        [<mvt:assign name="l.settings:sql" value="'SELECT * FROM [s]TGWaitlist ORDER BY time_added DESC'" />

                        Thanks --
                        Kent Multer
                        Magic Metal Productions
                        http://TheMagicM.com
                        * Web developer/designer
                        * E-commerce and Miva
                        * Author, The Official Miva Web Scripting Book -- available on-line:
                        http://www.amazon.com/exec/obidos/IS...icmetalproducA

                        Comment


                          #13
                          Kent, for the 1st and 4th examples, these are being used in page templates where the page can simply be requested via browser? If I'm understanding that correctly, those are incredibly bad things to be doing and the exact reason why we may move to make such code impossible to deploy. Miva Merchant has been built with access controls around order data to ensure the person who logged into the store administrative interface has the necessary permission to see order data. Miva Merchant also makes use of prepared statements, among other techniques, to reduce its susceptibility to SQL injection attacks. In your example, you're bypassing Merchant's user-level privilege system, authentication, logging, and you're creating a SQL injection opportunity since you're passing raw input variables into the middle of the SQL query. The stores using this could be having their order data seen by whomever is able to access the page in question, hopefully with some form of auth, but who really knows, no record of the access, and then perhaps they overload one of those variables and make the query do whatever else they'd like to see/alter in the store.
                          David Hubbard
                          CIO
                          Miva
                          [email protected]
                          http://www.miva.com

                          Comment


                            #14
                            Yes, the 1st and 4th examples are quick-access report pages. When the client asked for them, I pointed out all these security issues, but they still wanted to go this way. For one thing, I think they want to be able to view these reports without having to log in. There are no links to these pages from anywhere else in the site; so there's no way for a malicious user to find out that the pages even exist.

                            The first example is the only one that accepts input from the user in URL parameters. I could put some validation code in the template, to make sure that it would only accept valid dates, nothing with any characters that could alter the SQL.

                            I will pass your thoughts on to the client, and recommend that we tighten things up.

                            How can a non-admin user alter a page template???

                            Thanks --
                            Kent Multer
                            Magic Metal Productions
                            http://TheMagicM.com
                            * Web developer/designer
                            * E-commerce and Miva
                            * Author, The Official Miva Web Scripting Book -- available on-line:
                            http://www.amazon.com/exec/obidos/IS...icmetalproducA

                            Comment


                              #15
                              Those are honestly fairly incredible statements to make Kent. The client wanted to hire you to assist them with accomplishing a ridiculously insecure security posture with regard to customer data, one that could subject them to severe reputational damage, and real liability concerns in any number of jurisdictions, but a warning that it's a bad idea was sufficient to proceed? The hope that there are no links to certain pages on a site is now the method in which order data is protected on the sites in question, and there's simply "no way" for malicious access? You are aware malware can eavesdrop on any URL a computer accesses, or perhaps the users have even installed a browser plugin that shares each page they visit with something that then crawls said pages.

                              I'd request that you let us know privately any site that has this code deployed; we will inform those clients that it must be removed asap, which we can assist with, or the sites will need to be taken offline until resolved.
                              David Hubbard
                              CIO
                              Miva
                              [email protected]
                              http://www.miva.com

                              Comment

                              Working...
                              X