I am not seeing a Scheduled Task for "Security Checkup". Where do we go to turn off the weekly email for the PA-DSS checklist review?
Announcement
Collapse
No announcement yet.
Security Checkup Email
Collapse
X
-
How long does one have to correct issues for tests that did not pass? Are there penalties or fees associated with these?Psydde Delicious
Delicious Boutique & Corseterie
Philadelphia, PA
www.DeliciousBoutique.com
www.DeliciousCorsets.com
Comment
-
The docs should probably be updated because they indicate you can turn it off: https://docs.miva.com/miva-10-refere...cheduled-tasks
Enabled: Check the Enabled checkbox to allow this task to run in your store. You can uncheck this box if you don't want the task to run, but you don't want to delete it.
Also, for sites hosted with Miva, how do we fix the following items:
1. Primary Database not Located on Web Server
2. Private Key Database on Different Server Than Primary Database
Comment
-
David,
that configuration will not allow for direct database access independent of Miva Merchant.
Thanks,
ScottNeed to offer Shipping Insurance?
Interactive Design Solutions https://www.myids.net
MivaMerchant Business Partner | Certified MivaMerchant Web Developer
Competitive Rates, Custom Modules and Integrations, Store Integration
AutoBaskets|Advanced Waitlist Integration|Ask about Shipping Insurance Integration
My T-shirt Collection is mostly MivaCon T-shirts!!
Comment
-
Basically just means no tinkering with the database, even if just reading, outside of Miva Merchant, which 99% of the time is phpmyadmin. Modules that intentionally bypass Merchant's security framework, like "SQL query" modules that let people enter arbitrary database queries, even if read-only in theory, are equally problematic because it still provides access to data that may not otherwise have been available to the user in question, or may provide data that would normally require access logging, where such logging would then not occur. We're going to begin taking a harder stance on that type of module because it almost never involves the appropriate stakeholder in the business entity knowing and acknowledging the potential liability that is being created for them by someone adding such a module.
Comment
-
Originally posted by Rick Wilson View PostIt’s not a scheduled task and can not be turned off.Leslie Kirk
Miva Certified Developer
Miva Merchant Specialist since 1997
Previously of Webs Your Way (aka Leslie Nord leslienord)
Email me: [email protected]
www.lesliekirk.com
Follow me: Twitter | Facebook | FourSquare | Pinterest | Flickr
Comment
-
Hi David, I do have a couple of clients running modules that allow for arbitrary SQL queries written into template code. They only do SELECT queries, so they can't modify any data; but from what you wrote, apparently they can still be a violation. If I add a log-keeping feature to these modules, will that be sufficient? Or do I have to replace them with dedicated modules where the query is hard-coded?
In case it matters, I should mention that the queries generated by these modules don't use any input from the shopping pages; so no one but an admin user can access or modify them.
Thanks --Kent Multer
Magic Metal Productions
http://TheMagicM.com
* Web developer/designer
* E-commerce and Miva
* Author, The Official Miva Web Scripting Book -- available on-line:
http://www.amazon.com/exec/obidos/IS...icmetalproducA
Comment
-
If you're needing to retrieve data to a page template via direct query that is inaccessible because there is not an appropriate function, variable, etc., then it would be best to let us know that, the usage scenario, etc. and we can determine if there's a software improvement that could be made, an alternate and preferred way of access, or explain why such data should not be accessed in that manner.
Putting arbitrary SQL queries in a page template means a request to that template executes it, it's probably not a prepared statement, it didn't go through any of the testing/QA all of Merchant and its queries go through during the release cycle, it may or may not be database agnostic so it could break if Merchant's underlying DBMS is changed, you don't know who made the request, you can't log who made the request since you don't know who it was, a non-admin with user interface privilege could insert/alter/remove the code from a page template, bypassing the need for admin rights to get to data they should not see, so on and so forth.
Comment
-
Hi David, I just did a search thru my files, and here are the cases where I used a module to create SQL queries from page templates. I always look thru the LSK before I write one of these. Without a custom query, they would require multiple library calls and/or code loops to filter the data down to what the client actually wants.
Several stores are using this one in page templates that generate reports of orders during a specified time period:Code:<mvt:assign name="l.settings:sql" value="'SELECT * FROM [s]Orders WHERE (orderdate >=' $ g.startdate $ ') AND (orderdate <=' $ g.enddate $ ') ORDER BY orderdate'" />
Here's one for a client who wants a display on the shopping pages of all categories that are currently on sale.Code:<mvt:assign name="l.settings:on_sale:sql" value="' SELECT p.id AS pgrp_id, p.name AS sale_name, p.dt_start, p.dt_end, c.* FROM [s]PriceGroups p, [s]PriceGroupXCategory pxc, [s]Categories c WHERE (pxc.pgrp_id = p.id) AND (pxc.cat_id = c.id) AND (dt_start <= ' $ s.time_t $ ') AND ((dt_end = 0) OR (dt_end > ' $ s.time_t $ ')) ORDER BY c.name'" />
This one searches for a price group of the Product Discount type (module ID = 75) that's assigned to a category,
in order to extract the discount percentage for display.Code:<mvt:assign name="l.settings:sub_category:sql" value="'SELECT p.id, p.name, p.config FROM [s]PriceGroups p, [s]PriceGroupXCategory pxc WHERE (pxc.pgrp_id = p.id) AND (pxc.cat_id = ' $ l.settings:sub_category:id $ ') AND (p.module_id = 75) AND (dt_start <= ' $ s.time_t $ ') AND ((dt_end = 0) OR (dt_end >= ' $ s.time_t $ '))'" /> <mvt:assign name="l.settings:limit" value="'999'" />
This one works with data from the Tess's Wait List module. The client wanted to be able to see all the wait-listed items on one page.Code:[<mvt:assign name="l.settings:sql" value="'SELECT * FROM [s]TGWaitlist ORDER BY time_added DESC'" />
Thanks --Kent Multer
Magic Metal Productions
http://TheMagicM.com
* Web developer/designer
* E-commerce and Miva
* Author, The Official Miva Web Scripting Book -- available on-line:
http://www.amazon.com/exec/obidos/IS...icmetalproducA
Comment
-
Kent, for the 1st and 4th examples, these are being used in page templates where the page can simply be requested via browser? If I'm understanding that correctly, those are incredibly bad things to be doing and the exact reason why we may move to make such code impossible to deploy. Miva Merchant has been built with access controls around order data to ensure the person who logged into the store administrative interface has the necessary permission to see order data. Miva Merchant also makes use of prepared statements, among other techniques, to reduce its susceptibility to SQL injection attacks. In your example, you're bypassing Merchant's user-level privilege system, authentication, logging, and you're creating a SQL injection opportunity since you're passing raw input variables into the middle of the SQL query. The stores using this could be having their order data seen by whomever is able to access the page in question, hopefully with some form of auth, but who really knows, no record of the access, and then perhaps they overload one of those variables and make the query do whatever else they'd like to see/alter in the store.
Comment
-
Yes, the 1st and 4th examples are quick-access report pages. When the client asked for them, I pointed out all these security issues, but they still wanted to go this way. For one thing, I think they want to be able to view these reports without having to log in. There are no links to these pages from anywhere else in the site; so there's no way for a malicious user to find out that the pages even exist.
The first example is the only one that accepts input from the user in URL parameters. I could put some validation code in the template, to make sure that it would only accept valid dates, nothing with any characters that could alter the SQL.
I will pass your thoughts on to the client, and recommend that we tighten things up.
How can a non-admin user alter a page template???
Thanks --Kent Multer
Magic Metal Productions
http://TheMagicM.com
* Web developer/designer
* E-commerce and Miva
* Author, The Official Miva Web Scripting Book -- available on-line:
http://www.amazon.com/exec/obidos/IS...icmetalproducA
Comment
-
Those are honestly fairly incredible statements to make Kent. The client wanted to hire you to assist them with accomplishing a ridiculously insecure security posture with regard to customer data, one that could subject them to severe reputational damage, and real liability concerns in any number of jurisdictions, but a warning that it's a bad idea was sufficient to proceed? The hope that there are no links to certain pages on a site is now the method in which order data is protected on the sites in question, and there's simply "no way" for malicious access? You are aware malware can eavesdrop on any URL a computer accesses, or perhaps the users have even installed a browser plugin that shares each page they visit with something that then crawls said pages.
I'd request that you let us know privately any site that has this code deployed; we will inform those clients that it must be removed asap, which we can assist with, or the sites will need to be taken offline until resolved.
Comment
Comment