627082 - Tracking bug for community store review

Status: VERIFIED WONTFIX

(mozilla.org :: Security Assurance: Applications, task)

Description

[Yvan Boily [:ygjb][:yvan]]

Tracking bug for communitystore Security Review started 2011-01-18.

Comment 1

[Yvan Boily [:ygjb][:yvan]]

1. A quick intro to what this app does.
Provides a store that allows users to upload custom shirt designs for others to buy.  Uses services from Zazzle.com to implement purchasing.

2. Where is the source code located?
http://svn.mozilla.org/projects/community_store/

3. Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on.
unknown.  Testing performed against live environment.

4. Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS.
This application interacts with Zazzle.com using the API at zazzle.com/api

5. Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role.

5. What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.)
unknown; sensitive customer information, potentially purchase information.

6. Does this website contain an administration page? If so, have the admin page blockers (listed here) all been addressed?
Yes, http://communitystore.mozilla.org/admin challenges for authentication, and I expect it routes to the admin controller.  The admin page redirects to HTTPS.

7. This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?
Requested by clyon.

Comment 2

[Yvan Boily [:ygjb][:yvan]]

Review is complete, will continue to track open bugs.

Comment 3

[Chris More [:cmore]]

I emailed Steven Garrity (steven@silverorange.com) to find out if they have availability to do the code fixes. I will update the ticket once I find out more information.

Comment 4

[Chris More [:cmore]]

Per bug 657515, we are going to take down the community store and redirect it to the international store for the time being. We have an open conversation with Fred and Silver Orange on getting these security problems resolved. Once the security problems are resolved, we will bring the website back online.

Comment 5

[Chris More [:cmore]]

Update: I've talked to Fred and he doesn't have the resources to fix the PHP issue internally. Silver Orange has the bandwidth to fix code, but we are not going to proceed until we get the server logs pulled (bug 657645) and we determine if there is enough traffic to warrant fixing. I will post the status of the traffic after I get the logs to analyze.

Comment 6

[Chris More [:cmore]]

Attachment: March 2011 Community Store Web Stats

These are the web stats for March 2011 on the community store. The average is about 574 visits per day and 75% of those visitors stay on the website 30 seconds of less. I am waiting for stats on how much money the store makes during the same time period to help determine if the development effort to fix the bugs will be worth it.

Comment 7

[Chris More [:cmore]]

I am currently waiting on sales numbers from the communitystore so we can determine if fixing the website is worth the internal or external resource time. We have the traffic numbers, an estimate to fix, and just need the $ figures. As soon as I get that information, I will update the bug. The dependent bugs should not be closed until a decision has been made.

Comment 8

[Yvan Boily [:ygjb][:yvan]]

Community store has been closed down due to outstanding security issues.