Closed
Bug 560700
Opened 14 years ago
Closed 14 years ago
SSL Needed to Protect Session Identifiers
Categories
(Websites Graveyard :: drumbeat.org, defect)
Websites Graveyard
drumbeat.org
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: mcoates, Unassigned)
Details
(Whiteboard: [donation] [drumbeat] [server-security] [infrasec:tls])
Issue The drumbeat donations testing site does not use SSL to protect the transmission of the session identifier or qfkey. An attacker could leverage this weakness to redirect the user to a site other than paypal and then compromise the user's credit card data. This issue was discovered at the following test site: http://donate.trellon.org/dbl/civicrm/contribute/transact?reset=1&id=1&reset=1&id=1 Recommended Remediation Ensure the production site is deployed with SSL. SSL should be used for the entirety of the donation transaction.
Comment 1•14 years ago
|
||
The production Drumbeat site is deployed with SSL, and SSL is forced for certain URLs. Changing it to force SSL for the donation pages should be just a matter of updating .htaccess. Gerv
Updated•14 years ago
|
Whiteboard: donation, drumbeat → donation, drumbeat server-security
Comment 2•14 years ago
|
||
I've enabled force secure urls for civicrm pages on staging. See https://drumbeat.stage.mozilla.com/civicrm/admin/setting/url?reset=1
Comment 3•14 years ago
|
||
Can we get confirmation that this issue has been resolved?
Reporter | ||
Comment 4•14 years ago
|
||
We'll have to confirm this in the production version of drumbeat once it is live. The intent of this bug was to stress the correct SSL deployment when we go to prod. On a side note, the stage server SSL cert is not actually valid for the domain (e.g. domain name mismatch). No big deal in stage, but we can't have that error in prod. I don't think we will either since we handle SSL well for production. Just need to make sure we configure drumbeat correctly.
Reporter | ||
Updated•14 years ago
|
Whiteboard: donation, drumbeat server-security → donation, drumbeat server-security [infrasec:tls]
Reporter | ||
Updated•14 years ago
|
Whiteboard: donation, drumbeat server-security [infrasec:tls] → [donation] [drumbeat] [server-security] [infrasec:tls]
Comment 5•14 years ago
|
||
Can we close this one?
Reporter | ||
Comment 6•14 years ago
|
||
Confirmed HTTPS in use and HTTP requests redirect to HTTPS https://www.drumbeat.org/civicrm/contribute/transact?reset=1&id=3?reset=1&id=3
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•14 years ago
|
Status: RESOLVED → VERIFIED
Updated•12 years ago
|
Group: websites-security
Assignee | ||
Updated•9 years ago
|
Product: Websites → Websites Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•