560700 - SSL Needed to Protect Session Identifiers

Status: VERIFIED FIXED

(Websites Graveyard :: drumbeat.org, defect)

Description

[Michael Coates [:mcoates] (acct no longer active)]

Issue

The drumbeat donations testing site does not use SSL to protect the transmission of the session identifier or qfkey. An attacker could leverage this weakness to redirect the user to a site other than paypal and then compromise the user's credit card data.

This issue was discovered at the following test site: http://donate.trellon.org/dbl/civicrm/contribute/transact?reset=1&id=1&reset=1&id=1


Recommended Remediation

Ensure the production site is deployed with SSL. SSL should be used for the entirety of the donation transaction.

Comment 1

[Gervase Markham [:gerv]]

The production Drumbeat site is deployed with SSL, and SSL is forced for certain URLs. Changing it to force SSL for the donation pages should be just a matter of updating .htaccess.

Gerv

Comment 2

[Michael Priest]

I've enabled force secure urls for civicrm pages on staging. See https://drumbeat.stage.mozilla.com/civicrm/admin/setting/url?reset=1

Comment 3

[Chelsea Novak [:chelsea]]

Can we get confirmation that this issue has been resolved?

Comment 4

[Michael Coates [:mcoates] (acct no longer active)]

We'll have to confirm this in the production version of drumbeat once it is live. The intent of this bug was to stress the correct SSL deployment when we go to prod.  

On a side note, the stage server SSL cert is not actually valid for the domain (e.g. domain name mismatch). No big deal in stage, but we can't have that error in prod. I don't think we will either since we handle SSL well for production. Just need to make sure we configure drumbeat correctly.

Comment 5

[Matt Thompson]

Can we close this one?

Comment 6

[Michael Coates [:mcoates] (acct no longer active)]

Confirmed HTTPS in use and HTTP requests redirect to HTTPS
https://www.drumbeat.org/civicrm/contribute/transact?reset=1&id=3?reset=1&id=3