AW: [Security Concern] Printing out credit card information on the log file?
I also agree that this is probably a security issue and could mean that you are not getting the proper validation by credit card companies. You need to be accredited by credit card companies with PCI CSS to even be allowed to support creditcard transaction directly (unless you use an external iPayment service for this) and there you cannot store this sort of data in the logs. Only -ed out credit card information should be used. --- Paul Piper Geschäftsführer Web: http://www.ilscipio.com Tel: (+49) 611-94589441 Mobil: (+49) 176-63283066 Fax: (+49) 611-94589449 eMail: p...@ilscipio.com ilscipio GmbH Am Drosselschlag 7 D-35452 Heuchelheim Germany -Ursprüngliche Nachricht- Von: Jacques Le Roux [mailto:jacques.le.r...@les7arts.com] Gesendet: Mittwoch, 21. März 2012 19:47 An: user@ofbiz.apache.org Betreff: Re: [Security Concern] Printing out credit card information on the log file? From: Vicky Park vi...@pexsupply.com Hello folks, I realized that printing some information on log files could violate PCI CSS (Payment Card Industry Data Security Standard) depends on how they configure the system, and how to use the log file. If I understood correctly, we're printing card holder's information including credit card number, expiration and CVV num in plain text on log file. If we don't print out on the log at all on the live site, that would solve the problem. But if there is a person who wasn't aware of that fact, he might accidentally violate the PCI DSS compliance. For example, let's say there is a person who keeps the log to be printed on the live site. And for some reason, he downloaded log file to his local computer and kept unsafe location, or passed to someone else to let them take a look that log file for asking help. Then I believe he is violating the PCI CSS compliance accidentally. Code involved 1: [PayflowPro.java:166] if (Debug.verboseOn()) Debug.logVerbose(Sending to Verisign: + params.toString(), module); Logs which is being printed: [Datetime] (TP-Processor70) [ PayflowPro.java:166:INFO ] Sending to Verisign: PARTNER=verisignVENDOR=[Company ]USER=[UserID]PWD=[Password]COMMENT1=[Order ID]PONUM=[PO Order Id] CUSTCODE=[Customer's code]TRXTYPE=[]TENDER=[]CVV2=*[CVV number*]AMT=[Amount]ACCT=*[16 digit credit card number in plain text]*FIRSTNAME=[Cardholder's firstname]LASTNAME=[Card holder's last name]COMMENT2=[]EXPDATE=*[expiration date]*STREET=[Card holder's addressZIP=[card holder's zip code] Code involved 2: [RequestHandler.java:719] if (Debug.infoOn()) Debug.logInfo(Sending redirect to: [ + url + ], sessionId= + UtilHttp.getSessionId(req), module); = I realized that credit card information is being printed from different file as well (RequestHandler.java:719). I need to check what service triggers RequestHandler.java:719 and passes credit card information within url variable. But at least I noticed sometimes that line in the log file contains credit card information in plain text as well. PCI DSS involved: 7. Restrict access to cardholder data by business need-to-know 9. Restrict physical access to cardholder data [Reference]http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Sec urity_Standard So, here is my questions recommendation: 1. As we (at least I) want to keep log for in case, I think it's better to not to print out credit card information to the log file. What do you think? Do you think deleting that line is the best option? It's very unlikely that anybody would run a production server with log set at verbose level at any moment for all classes/packages. But we could easily comment out this line indeed (not deleting it) 2. If you guys think it's better to print out at least some information to log file for some purpose, I believe it's better to print out in encrypted format rather than in plain text. Otherwise we can print out last 4 digit or first 4 digit, not entire number. Not needed if commentout, then people would be really aware that they are sending it to log 3. Do you know what triggers RequestHander to print out credit card information? I expect commenting line in PayflowPro.java would be enough 4. Is there any other file you can think of which likely print out credit card information to log file? I don't think so. PayflowPro is not used OOTB in OFBiz IIRW Jacques Hope it would be helpful for security improvement for myself and someone else who may use ofbiz on the live site. Thanks you for reading.
Re: [Security Concern] Printing out credit card information on the log file?
Hi Paul, As suggested in my answer to Vicky, I have commented out the line [PayflowPro.java:166] in trunk and ALL releases (including R4.0) Please Vicky could you please confirm that this change is enough for the other points you raised? Trunk test is enough because all the automatic backports worked well, which is not surprising because this is really an old adaptation to an external payment provider. Jacques Paul Piper wrote: I also agree that this is probably a security issue and could mean that you are not getting the proper validation by credit card companies. You need to be accredited by credit card companies with PCI CSS to even be allowed to support creditcard transaction directly (unless you use an external iPayment service for this) and there you cannot store this sort of data in the logs. Only -ed out credit card information should be used. --- Paul Piper Geschäftsführer Web: http://www.ilscipio.com Tel: (+49) 611-94589441 Mobil: (+49) 176-63283066 Fax: (+49) 611-94589449 eMail: p...@ilscipio.com ilscipio GmbH Am Drosselschlag 7 D-35452 Heuchelheim Germany -Ursprüngliche Nachricht- Von: Jacques Le Roux [mailto:jacques.le.r...@les7arts.com] Gesendet: Mittwoch, 21. März 2012 19:47 An: user@ofbiz.apache.org Betreff: Re: [Security Concern] Printing out credit card information on the log file? From: Vicky Park vi...@pexsupply.com Hello folks, I realized that printing some information on log files could violate PCI CSS (Payment Card Industry Data Security Standard) depends on how they configure the system, and how to use the log file. If I understood correctly, we're printing card holder's information including credit card number, expiration and CVV num in plain text on log file. If we don't print out on the log at all on the live site, that would solve the problem. But if there is a person who wasn't aware of that fact, he might accidentally violate the PCI DSS compliance. For example, let's say there is a person who keeps the log to be printed on the live site. And for some reason, he downloaded log file to his local computer and kept unsafe location, or passed to someone else to let them take a look that log file for asking help. Then I believe he is violating the PCI CSS compliance accidentally. Code involved 1: [PayflowPro.java:166] if (Debug.verboseOn()) Debug.logVerbose(Sending to Verisign: + params.toString(), module); Logs which is being printed: [Datetime] (TP-Processor70) [ PayflowPro.java:166:INFO ] Sending to Verisign: PARTNER=verisignVENDOR=[Company ]USER=[UserID]PWD=[Password]COMMENT1=[Order ID]PONUM=[PO Order Id] CUSTCODE=[Customer's code]TRXTYPE=[]TENDER=[]CVV2=*[CVV number*]AMT=[Amount]ACCT=*[16 digit credit card number in plain text]*FIRSTNAME=[Cardholder's firstname]LASTNAME=[Card holder's last name]COMMENT2=[]EXPDATE=*[expiration date]*STREET=[Card holder's addressZIP=[card holder's zip code] Code involved 2: [RequestHandler.java:719] if (Debug.infoOn()) Debug.logInfo(Sending redirect to: [ + url + ], sessionId= + UtilHttp.getSessionId(req), module); = I realized that credit card information is being printed from different file as well (RequestHandler.java:719). I need to check what service triggers RequestHandler.java:719 and passes credit card information within url variable. But at least I noticed sometimes that line in the log file contains credit card information in plain text as well. PCI DSS involved: 7. Restrict access to cardholder data by business need-to-know 9. Restrict physical access to cardholder data [Reference]http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Sec urity_Standard So, here is my questions recommendation: 1. As we (at least I) want to keep log for in case, I think it's better to not to print out credit card information to the log file. What do you think? Do you think deleting that line is the best option? It's very unlikely that anybody would run a production server with log set at verbose level at any moment for all classes/packages. But we could easily comment out this line indeed (not deleting it) 2. If you guys think it's better to print out at least some information to log file for some purpose, I believe it's better to print out in encrypted format rather than in plain text. Otherwise we can print out last 4 digit or first 4 digit, not entire number. Not needed if commentout, then people would be really aware that they are sending it to log 3. Do you know what triggers RequestHander to print out credit card information? I expect commenting line in PayflowPro.java would be enough 4. Is there any other file you can think of which likely print out credit card information to log file? I don't think so. PayflowPro is not used OOTB in OFBiz IIRW Jacques Hope it would be helpful for security improvement for myself and someone else who may use ofbiz on the live site. Thanks you for reading.
Re: Multiple Catalogs
Mmm... indeed, IIRW something like that has been reported lately. I don't remember if we created a Jira. I will have a look and will create one if needed Jacques Jeremy Olmstead wrote: Well, sort of. I used the information to initially bulk load data into Catalog/Category/Product, etc. It was later that I decided I needed a different break down on the e-commerce site and that not all products should be on the web. I deleted the initial catalog from the web store and put a new manually created web specific catalog up as the catalog for the web store. I actually thought this is all I should have needed to do, but it didn't work, I still get all of the initial data. Then I changed the internal catalog type to View Allow instead of Browse Root and even changed every category type to Internal instead of catalog. At least the correct categories now show up on the left side navigation, but even there, when I drill down to a specific product and click the product detail link from the drill down it still shows me the product as if it is from the internal catalog! I stopped the server and restarted MySql thinking it was some kind of caching issue, but I still have the same problem. Jeremy On Wed, Mar 21, 2012 at 9:32 AM, Jacques Le Roux jacques.le.r...@les7arts.com wrote: Did you try https://cwiki.apache.org/**confluence/display/OFBENDUSER/** Apache+OFBiz+Business+Setup+**Guide#**ApacheOFBizBusinessSetupGuide-** catalogCategoryProductSetuphttps://cwiki.apache.org/confluence/display/OFBENDUSER/Apache+OFBiz+Business+Setup+Guide#ApacheOFBizBusinessSetupGuide-catalogCategoryProductSetup? Jacques Jeremy Olmstead wrote: I have done this, but something is still not right. How do I set my internal catalog to not show on the web? When I do a search or even a direct link, my internal catalog items still show up on the e-commerce site. On Wed, Mar 21, 2012 at 8:59 AM, Jose F. Fernandez jffernan...@marketic.eu**wrote: Hi Jeremy, you can create many catalogs (Application CATALOG MANAGER - Catalogs). In the new created catalog you can tell in wich stores it may be visible and associate the product categories for that catalog. I recommend that you create a new product categories tree for the e-commerce site. That tree must be under a root category with type Browse Root (One) and that root category is what you assign to your catalog. Look at the example catalogs for reference. Best regards, Jose F. - Mensaje original - De: Jeremy Olmstead jolmste...@gmail.com Para: user@ofbiz.apache.org Enviados: Miércoles, 21 de Marzo 2012 14:34:32 Asunto: Multiple Catalogs I am not sure if this functionality is available OOTB. If it is, could someone let me know, and if it is not, could someone point me in the right direction on how this may be accomplished? What I would like to be able to do is have two catalogs with totally different break downs in categories. One would be for internal purposes and the other for e-commerce purposes. All products would be in the internal catalog and all items there should be able to be ordered, but not necessarily from the e-commerce site. The e-commerce catalog would be a subset of the internal catalog products and all items in there would be available for order internally and on e-commerce. This is mainly for product breakdown navigation, but also there are some products we don't want to sell on the Internet. Thanks for any help. Jeremy
Re: Multiple Catalogs
Yes that was here http://markmail.org/message/7jju5vtwooybywml Time to create a Jira, could you do it for me Jeremy? You can use the details you gave below Thanks Jacques From: Jacques Le Roux jacques.le.r...@les7arts.com Mmm... indeed, IIRW something like that has been reported lately. I don't remember if we created a Jira. I will have a look and will create one if needed Jacques Jeremy Olmstead wrote: Well, sort of. I used the information to initially bulk load data into Catalog/Category/Product, etc. It was later that I decided I needed a different break down on the e-commerce site and that not all products should be on the web. I deleted the initial catalog from the web store and put a new manually created web specific catalog up as the catalog for the web store. I actually thought this is all I should have needed to do, but it didn't work, I still get all of the initial data. Then I changed the internal catalog type to View Allow instead of Browse Root and even changed every category type to Internal instead of catalog. At least the correct categories now show up on the left side navigation, but even there, when I drill down to a specific product and click the product detail link from the drill down it still shows me the product as if it is from the internal catalog! I stopped the server and restarted MySql thinking it was some kind of caching issue, but I still have the same problem. Jeremy On Wed, Mar 21, 2012 at 9:32 AM, Jacques Le Roux jacques.le.r...@les7arts.com wrote: Did you try https://cwiki.apache.org/**confluence/display/OFBENDUSER/** Apache+OFBiz+Business+Setup+**Guide#**ApacheOFBizBusinessSetupGuide-** catalogCategoryProductSetuphttps://cwiki.apache.org/confluence/display/OFBENDUSER/Apache+OFBiz+Business+Setup+Guide#ApacheOFBizBusinessSetupGuide-catalogCategoryProductSetup? Jacques Jeremy Olmstead wrote: I have done this, but something is still not right. How do I set my internal catalog to not show on the web? When I do a search or even a direct link, my internal catalog items still show up on the e-commerce site. On Wed, Mar 21, 2012 at 8:59 AM, Jose F. Fernandez jffernan...@marketic.eu**wrote: Hi Jeremy, you can create many catalogs (Application CATALOG MANAGER - Catalogs). In the new created catalog you can tell in wich stores it may be visible and associate the product categories for that catalog. I recommend that you create a new product categories tree for the e-commerce site. That tree must be under a root category with type Browse Root (One) and that root category is what you assign to your catalog. Look at the example catalogs for reference. Best regards, Jose F. - Mensaje original - De: Jeremy Olmstead jolmste...@gmail.com Para: user@ofbiz.apache.org Enviados: Miércoles, 21 de Marzo 2012 14:34:32 Asunto: Multiple Catalogs I am not sure if this functionality is available OOTB. If it is, could someone let me know, and if it is not, could someone point me in the right direction on how this may be accomplished? What I would like to be able to do is have two catalogs with totally different break downs in categories. One would be for internal purposes and the other for e-commerce purposes. All products would be in the internal catalog and all items there should be able to be ordered, but not necessarily from the e-commerce site. The e-commerce catalog would be a subset of the internal catalog products and all items in there would be available for order internally and on e-commerce. This is mainly for product breakdown navigation, but also there are some products we don't want to sell on the Internet. Thanks for any help. Jeremy
Re: Running multiple instances of OFBiz to the same database
Here is what I was thinking. If one of the OFBiz ecommerce VM's crashes (or I restart it), would another server take over the job? Would this work If only the pool names were all the same for all instances? On Wed, Mar 21, 2012 at 6:08 AM, Brett Palmer brettgpal...@gmail.comwrote: Mike, I posted a similar question a while ago on this topic. The subject was How to assign JobSandbox jobs to specific application server? In the posting I asked if different app servers could be configured to run against different job pools in the service engine. Here is a copy of what I posted. For Example we could configure our service engine to have a worker1 pool for app server 1 and worker2 pool for app server 2: thread-pool send-to-pool=worker1 purge-job-days=4 failed-retry-min=3 ttl=1800 wait-millis=750 jobs=10 min-threads=5 max-threads=15 poll-enabled=true poll-db-millis=2 run-from-pool name=worker1/ /thread-pool thread-pool send-to-pool=worker2 purge-job-days=4 failed-retry-min=3 ttl=1800 wait-millis=750 jobs=10 min-threads=5 max-threads=15 poll-enabled=true poll-db-millis=2 run-from-pool name=worker2/ /thread-pool I believe the service engine still works the same way. You can also have multiple app servers hitting the same jobPool in the jobSandbox. The only time I have run into problems with multiple servers is when the jobSandbox has a lot of records 50k+ and the different app servers start to see locks on the JobSandbox table. Brett On Wed, Mar 21, 2012 at 12:02 AM, Mike mz4whee...@gmail.com wrote: Playing around with running multiple instances of OFBiz in it's own VM, in a cloud environment, to the same DB. I ran across this on the OpenTaps docs: Service engine job pool: Modify the file framework/service/config/serviceengine.xml for each of your instances and edit the thread-pool's send-to-pool and run-from-pool to be different for each instance. For example: thread-pool send-to-pool=opentaps1 . . . run-from-pool name=opentaps1//thread-pool What is the purpose of this? Is this so that jobs originated on each instance are tracked separately on the DB? Is there anything else that needs to be tweaked config-wise so the multiple instances don't collide?
Re: Running multiple instances of OFBiz to the same database
Thanks Jacques. It sounds like it is good practice to have separate unique.instanceId for each VM, but having separate pools are optional. If I kill a VM, and there were outstanding jobs, will another instance take over? On Wed, Mar 21, 2012 at 6:28 AM, Jacques Le Roux jacques.le.r...@les7arts.com wrote: From: Mike mz4whee...@gmail.com Playing around with running multiple instances of OFBiz in it's own VM, in a cloud environment, to the same DB. I ran across this on the OpenTaps docs: Service engine job pool: Modify the file framework/service/config/**serviceengine.xml for each of your instances and edit the thread-pool's send-to-pool and run-from-pool to be different for each instance. For example: thread-pool send-to-pool=opentaps1 . . . run-from-pool name=opentaps1//thread-**pool What is the purpose of this? You don't need this as long as you don't need to isolate some jobs and want them running only on one of the machines (for performance or other reasons) Is this so that jobs originated on each instance are tracked separately on the DB? Yes, you can say that Is there anything else that needs to be tweaked config-wise so the multiple instances don't collide? You should not get multiple instances colliding. If you want only one instance of a job to run at a time I'd recommned to set semaphore=fail on the related service You may also consider unique.instanceId in general.properties, look at this thread http://markmail.org/message/**xhc6nfbzsd5ezscghttp://markmail.org/message/xhc6nfbzsd5ezscg And if you want to get confused a bit you might look at https://issues.apache.org/**jira/browse/OFBIZ-4602?** focusedCommentId=13199868**page=com.atlassian.jira.** plugin.system.issuetabpanels:**comment-tabpanel#comment-**13199868https://issues.apache.org/jira/browse/OFBIZ-4602?focusedCommentId=13199868page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13199868 Jacques