SSL Needed to Protect Session Identifiers

VERIFIED FIXED

Status

Websites Graveyard
www.drumbeat.org
--
critical
VERIFIED FIXED
8 years ago
3 years ago

People

(Reporter: mcoates, Unassigned)

Tracking

Details

(Whiteboard: [donation] [drumbeat] [server-security] [infrasec:tls])

Issue

The drumbeat donations testing site does not use SSL to protect the transmission of the session identifier or qfkey. An attacker could leverage this weakness to redirect the user to a site other than paypal and then compromise the user's credit card data.

This issue was discovered at the following test site: http://donate.trellon.org/dbl/civicrm/contribute/transact?reset=1&id=1&reset=1&id=1


Recommended Remediation

Ensure the production site is deployed with SSL. SSL should be used for the entirety of the donation transaction.
The production Drumbeat site is deployed with SSL, and SSL is forced for certain URLs. Changing it to force SSL for the donation pages should be just a matter of updating .htaccess.

Gerv

Updated

8 years ago
Whiteboard: donation, drumbeat → donation, drumbeat server-security

Comment 2

8 years ago
I've enabled force secure urls for civicrm pages on staging. See https://drumbeat.stage.mozilla.com/civicrm/admin/setting/url?reset=1
Can we get confirmation that this issue has been resolved?
We'll have to confirm this in the production version of drumbeat once it is live. The intent of this bug was to stress the correct SSL deployment when we go to prod.  

On a side note, the stage server SSL cert is not actually valid for the domain (e.g. domain name mismatch). No big deal in stage, but we can't have that error in prod. I don't think we will either since we handle SSL well for production. Just need to make sure we configure drumbeat correctly.
Whiteboard: donation, drumbeat server-security → donation, drumbeat server-security [infrasec:tls]
Whiteboard: donation, drumbeat server-security [infrasec:tls] → [donation] [drumbeat] [server-security] [infrasec:tls]

Comment 5

7 years ago
Can we close this one?
Confirmed HTTPS in use and HTTP requests redirect to HTTPS
https://www.drumbeat.org/civicrm/contribute/transact?reset=1&id=3?reset=1&id=3
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Group: websites-security
(Assignee)

Updated

3 years ago
Product: Websites → Websites Graveyard
You need to log in before you can comment on or make changes to this bug.