Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Api Security Issue - Returning Highly Sensitive Data Rate Topic   - - - - -

 
  • Wilko
  • Advanced Member
  • Members
  • Join Date: 14-Feb 13
  • 102 posts

Posted 13 September 2016 - 08:48 AM #1

I have recently posted in the security forum about the data returned via the API in response to a query on a specific order at order data level. I will simply post the link here for that thread:

 

http://forum.cs-cart...4-api-security/

 

Without repeating all that is said in ^^^ here are the fields transmitted that cause me a great deal of concern and should, I feel, be configurable / only enabled as an "option" via an API configurator in admin area:

    [payment_method] => Array
        (
            [payment_id] => 18
            [company_id] => 1
            [usergroup_ids] => 0
            [position] => 0
            [status] => A
            [template] => views/orders/components/payments/cc_outside.tpl
            [processor_id] => 1000
            [a_surcharge] => 0.000
            [p_surcharge] => 0.000
            [tax_ids] => Array
                (
                )

            [localization] => 
            [payment_category] => tab2
            
            /* IT IS THIS ARRAY THAT CAUSES ME THE MOST CONCERN! */
            
            [processor_params] => Array
                (
                    [merchant_id] => [REDACTED!]
                    [access_code] => [REDACTED!]
                    [password] => [REDACTED!]
                    [transaction_type] => SALE
                    [currency] => 826
                    [cv2_mandatory] => [REDACTED!]
                    [country_mandatory] => [REDACTED!]
                    [state_mandatory] => [REDACTED!]
                    [city_mandatory] => [REDACTED!]
                    [address_mandatory] => [REDACTED!]
                    [postcode_mandatory] => [REDACTED!]
                )

            [payment] => [REDACTED!]
            [description] => Secured By [REDACTED!]
            [instructions] => 


 
  • CS-Cart team
  • CS-Cart support team
  • Moderators
  • Join Date: 04-Apr 11
  • 3797 posts

Posted 13 September 2016 - 01:01 PM #2

We forwarded this information to our software engineers for examination.

 

 

I have recently posted in the security forum about the data returned via the API in response to a query on a specific order at order data level. I will simply post the link here for that thread:

 

http://forum.cs-cart...4-api-security/

 

Without repeating all that is said in ^^^ here are the fields transmitted that cause me a great deal of concern and should, I feel, be configurable / only enabled as an "option" via an API configurator in admin area:

    [payment_method] => Array
        (
            [payment_id] => 18
            [company_id] => 1
            [usergroup_ids] => 0
            [position] => 0
            [status] => A
            [template] => views/orders/components/payments/cc_outside.tpl
            [processor_id] => 1000
            [a_surcharge] => 0.000
            [p_surcharge] => 0.000
            [tax_ids] => Array
                (
                )

            [localization] => 
            [payment_category] => tab2
            
            /* IT IS THIS ARRAY THAT CAUSES ME THE MOST CONCERN! */
            
            [processor_params] => Array
                (
                    [merchant_id] => [REDACTED!]
                    [access_code] => [REDACTED!]
                    [password] => [REDACTED!]
                    [transaction_type] => SALE
                    [currency] => 826
                    [cv2_mandatory] => [REDACTED!]
                    [country_mandatory] => [REDACTED!]
                    [state_mandatory] => [REDACTED!]
                    [city_mandatory] => [REDACTED!]
                    [address_mandatory] => [REDACTED!]
                    [postcode_mandatory] => [REDACTED!]
                )

            [payment] => [REDACTED!]
            [description] => Secured By [REDACTED!]
            [instructions] => 

Sincerely yours, CS-Cart Support Team

 

User guide       |  Developer documentation  |  Core API documentation


 
  • Wilko
  • Advanced Member
  • Members
  • Join Date: 14-Feb 13
  • 102 posts

Posted 13 September 2016 - 02:47 PM #3

Thank you... I look forward to the response.



 
  • Wilko
  • Advanced Member
  • Members
  • Join Date: 14-Feb 13
  • 102 posts

Posted 21 September 2016 - 09:53 AM #4

Any update on this?



 
  • Wilko
  • Advanced Member
  • Members
  • Join Date: 14-Feb 13
  • 102 posts

Posted 03 November 2016 - 12:17 PM #5

Ok - in the absence of any action / response - I have simply created a proxy to pull the data on the server and filter out what I don't want over the wire.



 
  • CS-Cart team
  • CS-Cart support team
  • Moderators
  • Join Date: 04-Apr 11
  • 3797 posts

Posted 14 November 2016 - 02:55 PM #6

Dear Wilko,

 

This issue was confirmed as a bug. It will be fixed in one of the next CS-Cart versions.


Sincerely yours, CS-Cart Support Team

 

User guide       |  Developer documentation  |  Core API documentation