Security issue with Miva Synchro ???



Hi Arnold,

I see what you are talking about and how this could be risky. I'll bring it
up with Development to see if we can provide some sort of workaround for
this.

However, I do believe that those log files that store the info are only
going to be in the Beta version as they are used for troubleshooting.

Thanks.

Jimmy
Miva Support Engineer
Please REPLY to keep message history.

Miva Corporation
(858) 490-2570
Mon. - Fri., 9am - 5pm (PST)

***********************************
Do you have questions? We have answers!
Check out our FAQ at:
<A HREF ="http://www.miva.com/support/faqs">http://www.miva.com/support/faqs</A>
***********************************
NEW! Miva Service Club
Starting at only $149/yr.
Visit www.miva.com/support for details.
***********************************



-----Original Message-----
From: egetbetterCustomerService [mailto:[email protected]]
Sent: Sunday, September 14, 2003 12:43 AM
To: [email protected]
Subject: [scu] Security issue with Miva Synchro ???


Hi,



I'm not sure if this is the appropriate forum to raise this issue, but
here goes:



Over the last week or so, we've tried to implement Miva Synchro in our
environment and have most of the functionality we need (there are lots
of things we'd wish for, tho).



The most significant issue we have right now is the fact that our Miva
Admin username and password is showing up in our log files.

For example, we see a lot of entries like:



POST
/plugins/MivaMerchants/admin.mvc?UserName=xxxxxxxx&Password=xxxxxxxx&S

tore_Code=ZZZ&Module_Code=synchro&Action=SUTL&Sync hro_Action=AGRP&Screen
=SUTL



Very few people in our organization have access to our miva password and
most references I've seen on security say it's bad practice to store
username/password in files, especially unencrypted files. Is there
something we're missing on the configuration for Miva Synchro, or is
this just the way it is?



Thanks in advance for any help in getting this issue resolved.



Arnold

Support Services

[email protected] <mailto:[email protected]>

www.egetbetter.com <<A HREF ="http://www.egetbetter.com/> ">http://www.egetbetter.com/> </A>

Security issue with Miva Synchro ???



Hi Arnold,

If you are using the secure urls to your Miva Merchant admin in Miva
Synchro, then it will talk to your Miva Merchant admin through a secure
connection.

Thanks.

Jimmy
Miva Support Engineer
Please REPLY to keep message history.

Miva Corporation
(858) 490-2570
Mon. - Fri., 9am - 5pm (PST)

***********************************
Do you have questions? We have answers!
Check out our FAQ at:
<A HREF ="http://www.miva.com/support/faqs">http://www.miva.com/support/faqs</A>
***********************************
NEW! Miva Service Club
Starting at only $149/yr.
Visit www.miva.com/support for details.
***********************************



-----Original Message-----
From: egetbetterCustomerService [mailto:[email protected]]
Sent: Monday, September 15, 2003 10:22 AM
To: 'Miva User Group Support'
Subject: RE: [scu] Security issue with Miva Synchro ???


Hi Jimmy,

Thanks for looking into the issue.

Just to be perfectly clear on the log files I'm concerned about.. it's the
server log files on the system where our miva store is hosted. Local log
files on the PC where Miva Synchro is running is an issue for us, but not as
serious.

And, now that my mind is on usernames and passwords, I have another
question: is Miva Synchro protecting (e.g. SSL) the commands between the
miva host system and the QuickBooks system? It would be particularly
disturbing to know that usernames/passwords are going over the internet
without protection.

Thanks in advance for any help in getting this issue resolved.

Arnold
Support Services
[email protected]
www.egetbetter.com


-----Original Message-----
From: Miva User Group Support [mailto:[email protected]]
Sent: Monday, September 15, 2003 9:30 AM
To: 'egetbetterCustomerService'; Synchro Users
Subject: RE: [scu] Security issue with Miva Synchro ???

Hi Arnold,

I see what you are talking about and how this could be risky. I'll bring it
up with Development to see if we can provide some sort of workaround for
this.

However, I do believe that those log files that store the info are only
going to be in the Beta version as they are used for troubleshooting.

Thanks.

Jimmy
Miva Support Engineer
Please REPLY to keep message history.

Miva Corporation
(858) 490-2570
Mon. - Fri., 9am - 5pm (PST)

***********************************
Do you have questions? We have answers!
Check out our FAQ at:
<A HREF ="http://www.miva.com/support/faqs">http://www.miva.com/support/faqs</A>
***********************************
NEW! Miva Service Club
Starting at only $149/yr.
Visit www.miva.com/support for details.
***********************************



-----Original Message-----
From: egetbetterCustomerService [mailto:[email protected]]
Sent: Sunday, September 14, 2003 12:43 AM
To: [email protected]
Subject: [scu] Security issue with Miva Synchro ???


Hi,



I'm not sure if this is the appropriate forum to raise this issue, but
here goes:



Over the last week or so, we've tried to implement Miva Synchro in our
environment and have most of the functionality we need (there are lots
of things we'd wish for, tho).



The most significant issue we have right now is the fact that our Miva
Admin username and password is showing up in our log files.

For example, we see a lot of entries like:



POST
/plugins/MivaMerchants/admin.mvc?UserName=xxxxxxxx&Password=xxxxxxxx&S

tore_Code=ZZZ&Module_Code=synchro&Action=SUTL&Sync hro_Action=AGRP&Screen
=SUTL



Very few people in our organization have access to our miva password and
most references I've seen on security say it's bad practice to store
username/password in files, especially unencrypted files. Is there
something we're missing on the configuration for Miva Synchro, or is
this just the way it is?



Thanks in advance for any help in getting this issue resolved.



Arnold

Support Services

[email protected] <mailto:[email protected]>

www.egetbetter.com <<A HREF ="http://www.egetbetter.com/> ">http://www.egetbetter.com/> </A>

Security issue with Miva Synchro ???



Hi Arnold,

What is the name of this log file that's recording that info?

Jimmy
Miva Support Engineer
Please REPLY to keep message history.

Miva Corporation
(858) 490-2570
Mon. - Fri., 9am - 5pm (PST)

***********************************
Do you have questions? We have answers!
Check out our FAQ at:
<A HREF ="http://www.miva.com/support/faqs">http://www.miva.com/support/faqs</A>
***********************************
NEW! Miva Service Club
Starting at only $149/yr.
Visit www.miva.com/support for details.
***********************************



-----Original Message-----
From: egetbetterCustomerService [mailto:[email protected]]
Sent: Monday, September 15, 2003 10:22 AM
To: 'Miva User Group Support'
Subject: RE: [scu] Security issue with Miva Synchro ???


Hi Jimmy,

Thanks for looking into the issue.

Just to be perfectly clear on the log files I'm concerned about.. it's the
server log files on the system where our miva store is hosted. Local log
files on the PC where Miva Synchro is running is an issue for us, but not as
serious.

And, now that my mind is on usernames and passwords, I have another
question: is Miva Synchro protecting (e.g. SSL) the commands between the
miva host system and the QuickBooks system? It would be particularly
disturbing to know that usernames/passwords are going over the internet
without protection.

Thanks in advance for any help in getting this issue resolved.

Arnold
Support Services
[email protected]
www.egetbetter.com


-----Original Message-----
From: Miva User Group Support [mailto:[email protected]]
Sent: Monday, September 15, 2003 9:30 AM
To: 'egetbetterCustomerService'; Synchro Users
Subject: RE: [scu] Security issue with Miva Synchro ???

Hi Arnold,

I see what you are talking about and how this could be risky. I'll bring it
up with Development to see if we can provide some sort of workaround for
this.

However, I do believe that those log files that store the info are only
going to be in the Beta version as they are used for troubleshooting.

Thanks.

Jimmy
Miva Support Engineer
Please REPLY to keep message history.

Miva Corporation
(858) 490-2570
Mon. - Fri., 9am - 5pm (PST)

***********************************
Do you have questions? We have answers!
Check out our FAQ at:
<A HREF ="http://www.miva.com/support/faqs">http://www.miva.com/support/faqs</A>
***********************************
NEW! Miva Service Club
Starting at only $149/yr.
Visit www.miva.com/support for details.
***********************************



-----Original Message-----
From: egetbetterCustomerService [mailto:[email protected]]
Sent: Sunday, September 14, 2003 12:43 AM
To: [email protected]
Subject: [scu] Security issue with Miva Synchro ???


Hi,



I'm not sure if this is the appropriate forum to raise this issue, but
here goes:



Over the last week or so, we've tried to implement Miva Synchro in our
environment and have most of the functionality we need (there are lots
of things we'd wish for, tho).



The most significant issue we have right now is the fact that our Miva
Admin username and password is showing up in our log files.

For example, we see a lot of entries like:



POST
/plugins/MivaMerchants/admin.mvc?UserName=xxxxxxxx&Password=xxxxxxxx&S

tore_Code=ZZZ&Module_Code=synchro&Action=SUTL&Sync hro_Action=AGRP&Screen
=SUTL



Very few people in our organization have access to our miva password and
most references I've seen on security say it's bad practice to store
username/password in files, especially unencrypted files. Is there
something we're missing on the configuration for Miva Synchro, or is
this just the way it is?



Thanks in advance for any help in getting this issue resolved.



Arnold

Support Services

[email protected] <mailto:[email protected]>

www.egetbetter.com <<A HREF ="http://www.egetbetter.com/> ">http://www.egetbetter.com/> </A>

Error



We just tried to sync w/ a new file ~

Got the following error:

Quickbooks Error: Object "6D0000-1060915392" specified in the request
can not be found.

Any clue what that is?

Michelle
www.invitationhaven.com
We create your personalized photo announcement or invitation to be a
gift and become a lasting memory


-----Original Message-----
From: Miva User Group Support [mailto:[email protected]]
Sent: Monday, September 15, 2003 12:48 PM
To: 'egetbetterCustomerService'; Synchro Users
Subject: RE: [scu] Security issue with Miva Synchro ???

Hi Arnold,

What is the name of this log file that's recording that info?

Jimmy
Miva Support Engineer
Please REPLY to keep message history.

Miva Corporation
(858) 490-2570
Mon. - Fri., 9am - 5pm (PST)

***********************************
Do you have questions? We have answers!
Check out our FAQ at:
<A HREF ="http://www.miva.com/support/faqs">http://www.miva.com/support/faqs</A>
***********************************
NEW! Miva Service Club
Starting at only $149/yr.
Visit www.miva.com/support for details.
***********************************



-----Original Message-----
From: egetbetterCustomerService [mailto:[email protected]]
Sent: Monday, September 15, 2003 10:22 AM
To: 'Miva User Group Support'
Subject: RE: [scu] Security issue with Miva Synchro ???


Hi Jimmy,

Thanks for looking into the issue.

Just to be perfectly clear on the log files I'm concerned about.. it's
the
server log files on the system where our miva store is hosted. Local
log
files on the PC where Miva Synchro is running is an issue for us, but
not as
serious.

And, now that my mind is on usernames and passwords, I have another
question: is Miva Synchro protecting (e.g. SSL) the commands between
the
miva host system and the QuickBooks system? It would be particularly
disturbing to know that usernames/passwords are going over the internet
without protection.

Thanks in advance for any help in getting this issue resolved.

Arnold
Support Services
[email protected]
www.egetbetter.com


-----Original Message-----
From: Miva User Group Support [mailto:[email protected]]
Sent: Monday, September 15, 2003 9:30 AM
To: 'egetbetterCustomerService'; Synchro Users
Subject: RE: [scu] Security issue with Miva Synchro ???

Hi Arnold,

I see what you are talking about and how this could be risky. I'll bring
it
up with Development to see if we can provide some sort of workaround for
this.

However, I do believe that those log files that store the info are only
going to be in the Beta version as they are used for troubleshooting.

Thanks.

Jimmy
Miva Support Engineer
Please REPLY to keep message history.

Miva Corporation
(858) 490-2570
Mon. - Fri., 9am - 5pm (PST)

***********************************
Do you have questions? We have answers!
Check out our FAQ at:
<A HREF ="http://www.miva.com/support/faqs">http://www.miva.com/support/faqs</A>
***********************************
NEW! Miva Service Club
Starting at only $149/yr.
Visit www.miva.com/support for details.
***********************************



-----Original Message-----
From: egetbetterCustomerService [mailto:[email protected]]
Sent: Sunday, September 14, 2003 12:43 AM
To: [email protected]
Subject: [scu] Security issue with Miva Synchro ???


Hi,



I'm not sure if this is the appropriate forum to raise this issue, but
here goes:



Over the last week or so, we've tried to implement Miva Synchro in our
environment and have most of the functionality we need (there are lots
of things we'd wish for, tho).



The most significant issue we have right now is the fact that our Miva
Admin username and password is showing up in our log files.

For example, we see a lot of entries like:



POST
/plugins/MivaMerchants/admin.mvc?UserName=xxxxxxxx&Password=xxxxxxxx&S

tore_Code=ZZZ&Module_Code=synchro&Action=SUTL&Sync hro_Action=AGRP&Screen
=SUTL



Very few people in our organization have access to our miva password and
most references I've seen on security say it's bad practice to store
username/password in files, especially unencrypted files. Is there
something we're missing on the configuration for Miva Synchro, or is
this just the way it is?



Thanks in advance for any help in getting this issue resolved.



Arnold

Support Services

[email protected] <mailto:[email protected]>

www.egetbetter.com <<A HREF ="http://www.egetbetter.com/> ">http://www.egetbetter.com/> </A>

Security issue with Miva Synchro ???



Hi Arnold,

We're working on a new release to address the log file issue you described
here. I'll let you all know when the version is available.

Thanks.

Jimmy
Miva Support Engineer
Please REPLY to keep message history.

Miva Corporation
(858) 490-2570
Mon. - Fri., 9am - 5pm (PST)

***********************************
Do you have questions? We have answers!
Check out our FAQ at:
<A HREF ="http://www.miva.com/support/faqs">http://www.miva.com/support/faqs</A>
***********************************
NEW! Miva Service Club
Starting at only $149/yr.
Visit www.miva.com/support for details.
***********************************



-----Original Message-----
From: egetbetterCustomerService [mailto:[email protected]]
Sent: Monday, September 15, 2003 11:21 AM
To: 'Miva User Group Support'
Subject: RE: [scu] Security issue with Miva Synchro ???


Hi Jimmy,

The log file which I found with username/passwords is the access_log where
the server stores all of the site access and activity.

When we log in to the miva merchant admin interface (i.e. via browser)
username and password does not show up, which is what we'd expected to be
the case with Miva Synchro. In the admin interface, all that goes into the
access_log is the reference to admin.mvc and a session ID.

Thanks for the earlier info about the fact that a secure connection is used
during the synchronization process.

Arnold
Support Services
[email protected]
www.egetbetter.com

P.S. It looks like I have 2 email addresses registered for the user group
and it's getting confusing as to which email I use to respond on with a
reply.. I'll take care of that shortly by removing one of "me".



-----Original Message-----
From: Miva User Group Support [mailto:[email protected]]
Sent: Monday, September 15, 2003 10:48 AM
To: 'egetbetterCustomerService'; Synchro Users
Subject: RE: [scu] Security issue with Miva Synchro ???

Hi Arnold,

What is the name of this log file that's recording that info?

Jimmy
Miva Support Engineer
Please REPLY to keep message history.

Miva Corporation
(858) 490-2570
Mon. - Fri., 9am - 5pm (PST)

***********************************
Do you have questions? We have answers!
Check out our FAQ at:
<A HREF ="http://www.miva.com/support/faqs">http://www.miva.com/support/faqs</A>
***********************************
NEW! Miva Service Club
Starting at only $149/yr.
Visit www.miva.com/support for details.
***********************************



-----Original Message-----
From: egetbetterCustomerService [mailto:[email protected]]
Sent: Monday, September 15, 2003 10:22 AM
To: 'Miva User Group Support'
Subject: RE: [scu] Security issue with Miva Synchro ???


Hi Jimmy,

Thanks for looking into the issue.

Just to be perfectly clear on the log files I'm concerned about.. it's the
server log files on the system where our miva store is hosted. Local log
files on the PC where Miva Synchro is running is an issue for us, but not as
serious.

And, now that my mind is on usernames and passwords, I have another
question: is Miva Synchro protecting (e.g. SSL) the commands between the
miva host system and the QuickBooks system? It would be particularly
disturbing to know that usernames/passwords are going over the internet
without protection.

Thanks in advance for any help in getting this issue resolved.

Arnold
Support Services
[email protected]
www.egetbetter.com


-----Original Message-----
From: Miva User Group Support [mailto:[email protected]]
Sent: Monday, September 15, 2003 9:30 AM
To: 'egetbetterCustomerService'; Synchro Users
Subject: RE: [scu] Security issue with Miva Synchro ???

Hi Arnold,

I see what you are talking about and how this could be risky. I'll bring it
up with Development to see if we can provide some sort of workaround for
this.

However, I do believe that those log files that store the info are only
going to be in the Beta version as they are used for troubleshooting.

Thanks.

Jimmy
Miva Support Engineer
Please REPLY to keep message history.

Miva Corporation
(858) 490-2570
Mon. - Fri., 9am - 5pm (PST)

***********************************
Do you have questions? We have answers!
Check out our FAQ at:
<A HREF ="http://www.miva.com/support/faqs">http://www.miva.com/support/faqs</A>
***********************************
NEW! Miva Service Club
Starting at only $149/yr.
Visit www.miva.com/support for details.
***********************************



-----Original Message-----
From: egetbetterCustomerService [mailto:[email protected]]
Sent: Sunday, September 14, 2003 12:43 AM
To: [email protected]
Subject: [scu] Security issue with Miva Synchro ???


Hi,



I'm not sure if this is the appropriate forum to raise this issue, but
here goes:



Over the last week or so, we've tried to implement Miva Synchro in our
environment and have most of the functionality we need (there are lots
of things we'd wish for, tho).



The most significant issue we have right now is the fact that our Miva
Admin username and password is showing up in our log files.

For example, we see a lot of entries like:



POST
/plugins/MivaMerchants/admin.mvc?UserName=xxxxxxxx&Password=xxxxxxxx&S

tore_Code=ZZZ&Module_Code=synchro&Action=SUTL&Sync hro_Action=AGRP&Screen
=SUTL



Very few people in our organization have access to our miva password and
most references I've seen on security say it's bad practice to store
username/password in files, especially unencrypted files. Is there
something we're missing on the configuration for Miva Synchro, or is
this just the way it is?



Thanks in advance for any help in getting this issue resolved.



Arnold

Support Services

[email protected] <mailto:[email protected]>

www.egetbetter.com <<A HREF ="http://www.egetbetter.com/> ">http://www.egetbetter.com/> </A>