Tracking bug for community store review

VERIFIED WONTFIX

Status

VERIFIED WONTFIX
8 years ago
8 years ago

People

(Reporter: ygjb, Assigned: ygjb)

Tracking

Details

(Whiteboard: [completed secreview])

Attachments

(1 attachment)

(Assignee)

Description

8 years ago
Tracking bug for communitystore Security Review started 2011-01-18.
(Assignee)

Updated

8 years ago
Depends on: 627100
Assignee: nobody → infrasec
Group: websites-security
Component: communitystore.mozilla.org → Infrastructure Security: Web Security
Product: Websites → mozilla.org
QA Contact: communitystore-mozilla-org → clyon
Assignee: infrasec → yboily
Whiteboard: [in-progress secreview]
(Assignee)

Comment 1

8 years ago
1. A quick intro to what this app does.
Provides a store that allows users to upload custom shirt designs for others to buy.  Uses services from Zazzle.com to implement purchasing.

2. Where is the source code located?
http://svn.mozilla.org/projects/community_store/

3. Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on.
unknown.  Testing performed against live environment.

4. Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS.
This application interacts with Zazzle.com using the API at zazzle.com/api

5. Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role.

5. What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.)
unknown; sensitive customer information, potentially purchase information.

6. Does this website contain an administration page? If so, have the admin page blockers (listed here) all been addressed?
Yes, http://communitystore.mozilla.org/admin challenges for authentication, and I expect it routes to the admin controller.  The admin page redirects to HTTPS.

7. This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?
Requested by clyon.
(Assignee)

Updated

8 years ago
Depends on: 627125
(Assignee)

Updated

8 years ago
Depends on: 627252
(Assignee)

Comment 2

8 years ago
Review is complete, will continue to track open bugs.
Whiteboard: [in-progress secreview] → [completed secreview]
(Assignee)

Updated

8 years ago
Depends on: 650105, 655610
I emailed Steven Garrity (steven@silverorange.com) to find out if they have availability to do the code fixes. I will update the ticket once I find out more information.
Per bug 657515, we are going to take down the community store and redirect it to the international store for the time being. We have an open conversation with Fred and Silver Orange on getting these security problems resolved. Once the security problems are resolved, we will bring the website back online.
Update: I've talked to Fred and he doesn't have the resources to fix the PHP issue internally. Silver Orange has the bandwidth to fix code, but we are not going to proceed until we get the server logs pulled (bug 657645) and we determine if there is enough traffic to warrant fixing. I will post the status of the traffic after I get the logs to analyze.
Created attachment 533815 [details]
March 2011 Community Store Web Stats

These are the web stats for March 2011 on the community store. The average is about 574 visits per day and 75% of those visitors stay on the website 30 seconds of less. I am waiting for stats on how much money the store makes during the same time period to help determine if the development effort to fix the bugs will be worth it.
I am currently waiting on sales numbers from the communitystore so we can determine if fixing the website is worth the internal or external resource time. We have the traffic numbers, an estimate to fix, and just need the $ figures. As soon as I get that information, I will update the bug. The dependent bugs should not be closed until a decision has been made.

Updated

8 years ago
Depends on: 663206
QA Contact: chris → mcoates
(Assignee)

Comment 8

8 years ago
Community store has been closed down due to outstanding security issues.
Group: websites-security
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → WONTFIX
(Assignee)

Updated

8 years ago
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.