Jump to content

 

Wilko

Member Since 14 Feb 2013
Offline Last Active Nov 03 2016 03:51 PM
-----

Topics I've Started

Api Security Issue - Returning Highly Sensitive Data

13 September 2016 - 08:48 AM

I have recently posted in the security forum about the data returned via the API in response to a query on a specific order at order data level. I will simply post the link here for that thread:

 

http://forum.cs-cart...4-api-security/

 

Without repeating all that is said in ^^^ here are the fields transmitted that cause me a great deal of concern and should, I feel, be configurable / only enabled as an "option" via an API configurator in admin area:

    [payment_method] => Array
        (
            [payment_id] => 18
            [company_id] => 1
            [usergroup_ids] => 0
            [position] => 0
            [status] => A
            [template] => views/orders/components/payments/cc_outside.tpl
            [processor_id] => 1000
            [a_surcharge] => 0.000
            [p_surcharge] => 0.000
            [tax_ids] => Array
                (
                )

            [localization] => 
            [payment_category] => tab2
            
            /* IT IS THIS ARRAY THAT CAUSES ME THE MOST CONCERN! */
            
            [processor_params] => Array
                (
                    [merchant_id] => [REDACTED!]
                    [access_code] => [REDACTED!]
                    [password] => [REDACTED!]
                    [transaction_type] => SALE
                    [currency] => 826
                    [cv2_mandatory] => [REDACTED!]
                    [country_mandatory] => [REDACTED!]
                    [state_mandatory] => [REDACTED!]
                    [city_mandatory] => [REDACTED!]
                    [address_mandatory] => [REDACTED!]
                    [postcode_mandatory] => [REDACTED!]
                )

            [payment] => [REDACTED!]
            [description] => Secured By [REDACTED!]
            [instructions] => 

Api - Security

08 September 2016 - 03:44 PM

Have upgraded to 4.3.9 (from 3.0.5) - a driving force in the decision was the API and all the possibilities this opened up...

 

So have been starting to evolve some automated processing for "back office" use via the api. I was shocked to find the following in the order data output. Ok, so I would ONLY ever call the api over https BUT for those who don't know or understand the impact this is a major issue imho.

 

Coupled with the fact that passwords ARE STILL being sent via new user sign up email confirmation this is a security minefield - once again, imho!

 

Please, if anyone can advise in which template or script I can defeat this output being included in the API output, it would be greatly appreciated! If no response here I will be digging anyway to find it myself.

    [payment_method] => Array
        (
            [payment_id] => 18
            [company_id] => 1
            [usergroup_ids] => 0
            [position] => 0
            [status] => A
            [template] => views/orders/components/payments/cc_outside.tpl
            [processor_id] => 1000
            [a_surcharge] => 0.000
            [p_surcharge] => 0.000
            [tax_ids] => Array
                (
                )

            [localization] => 
            [payment_category] => tab2
            [processor_params] => Array
                (
                    [merchant_id] => [REDACTED!]
                    [access_code] => [REDACTED!]
                    [password] => [REDACTED!]
                    [transaction_type] => SALE
                    [currency] => 826
                    [cv2_mandatory] => [REDACTED!]
                    [country_mandatory] => [REDACTED!]
                    [state_mandatory] => [REDACTED!]
                    [city_mandatory] => [REDACTED!]
                    [address_mandatory] => [REDACTED!]
                    [postcode_mandatory] => [REDACTED!]
                )

            [payment] => [REDACTED!]
            [description] => Secured By [REDACTED!]
            [instructions] =>