Issue The drumbeat donations testing site does not use SSL to protect the transmission of the session identifier or qfkey. An attacker could leverage this weakness to redirect the user to a site other than paypal and then compromise the user's credit card data. This issue was discovered at the following test site: http://donate.trellon.org/dbl/civicrm/contribute/transact?reset=1&id=1&reset=1&id=1 Recommended Remediation Ensure the production site is deployed with SSL. SSL should be used for the entirety of the donation transaction.
The production Drumbeat site is deployed with SSL, and SSL is forced for certain URLs. Changing it to force SSL for the donation pages should be just a matter of updating .htaccess. Gerv
Whiteboard: donation, drumbeat → donation, drumbeat server-security
I've enabled force secure urls for civicrm pages on staging. See https://drumbeat.stage.mozilla.com/civicrm/admin/setting/url?reset=1
Can we get confirmation that this issue has been resolved?
We'll have to confirm this in the production version of drumbeat once it is live. The intent of this bug was to stress the correct SSL deployment when we go to prod. On a side note, the stage server SSL cert is not actually valid for the domain (e.g. domain name mismatch). No big deal in stage, but we can't have that error in prod. I don't think we will either since we handle SSL well for production. Just need to make sure we configure drumbeat correctly.
Whiteboard: donation, drumbeat server-security → donation, drumbeat server-security [infrasec:tls]
Whiteboard: donation, drumbeat server-security [infrasec:tls] → [donation] [drumbeat] [server-security] [infrasec:tls]
Can we close this one?
Confirmed HTTPS in use and HTTP requests redirect to HTTPS https://www.drumbeat.org/civicrm/contribute/transact?reset=1&id=3?reset=1&id=3
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Product: Websites → Websites Graveyard
You need to log in before you can comment on or make changes to this bug.