Announcement

Collapse
No announcement yet.

Security issue with Miva Synchro ???

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Security issue with Miva Synchro ???



    ------=_NextPart_000_0013_01C37A59.1EEDE110
    Content-Type: text/plain;
    charset="us-ascii"
    Content-Transfer-Encoding: quoted-printable

    Hi,

    =20

    I'm not sure if this is the appropriate forum to raise this issue, but
    here goes:

    =20

    Over the last week or so, we've tried to implement Miva Synchro in our
    environment and have most of the functionality we need (there are lots
    of things we'd wish for, tho). =20

    =20

    The most significant issue we have right now is the fact that our Miva
    Admin username and password is showing up in our log files. =20

    For example, we see a lot of entries like:=20

    =20

    POST
    /plugins/MivaMerchants/admin.mvc?UserName=3Dxxxxxxxx&Password=3Dxxxxxxxx=
    &S

    tore_Code=3DZZZ&Module_Code=3Dsynchro&Action=3DSUT L&Synchro_Action=3DAGR=
    P&Screen
    =3DSUTL

    =20

    Very few people in our organization have access to our miva password =
    and
    most references I've seen on security say it's bad practice to store
    username/password in files, especially unencrypted files. Is there
    something we're missing on the configuration for Miva Synchro, or is
    this just the way it is? =20

    =20

    Thanks in advance for any help in getting this issue resolved.

    =20

    Arnold

    Support Services

    [email protected] <mailto:[email protected]>=20

    www.egetbetter.com <<A HREF ="http://www.egetbetter.com/>=20">http://www.egetbetter.com/>=20</A>

    =20


    ------=_NextPart_000_0013_01C37A59.1EEDE110--

    #2
    Security issue with Miva Synchro ???



    Hi Arnold,

    I see what you are talking about and how this could be risky. I'll bring it
    up with Development to see if we can provide some sort of workaround for
    this.

    However, I do believe that those log files that store the info are only
    going to be in the Beta version as they are used for troubleshooting.

    Thanks.

    Jimmy
    Miva Support Engineer
    Please REPLY to keep message history.

    Miva Corporation
    (858) 490-2570
    Mon. - Fri., 9am - 5pm (PST)

    ***********************************
    Do you have questions? We have answers!
    Check out our FAQ at:
    <A HREF ="http://www.miva.com/support/faqs">http://www.miva.com/support/faqs</A>
    ***********************************
    NEW! Miva Service Club
    Starting at only $149/yr.
    Visit www.miva.com/support for details.
    ***********************************



    -----Original Message-----
    From: egetbetterCustomerService [mailto:[email protected]]
    Sent: Sunday, September 14, 2003 12:43 AM
    To: [email protected]
    Subject: [scu] Security issue with Miva Synchro ???


    Hi,



    I'm not sure if this is the appropriate forum to raise this issue, but
    here goes:



    Over the last week or so, we've tried to implement Miva Synchro in our
    environment and have most of the functionality we need (there are lots
    of things we'd wish for, tho).



    The most significant issue we have right now is the fact that our Miva
    Admin username and password is showing up in our log files.

    For example, we see a lot of entries like:



    POST
    /plugins/MivaMerchants/admin.mvc?UserName=xxxxxxxx&Password=xxxxxxxx&S

    tore_Code=ZZZ&Module_Code=synchro&Action=SUTL&Sync hro_Action=AGRP&Screen
    =SUTL



    Very few people in our organization have access to our miva password and
    most references I've seen on security say it's bad practice to store
    username/password in files, especially unencrypted files. Is there
    something we're missing on the configuration for Miva Synchro, or is
    this just the way it is?



    Thanks in advance for any help in getting this issue resolved.



    Arnold

    Support Services

    [email protected] <mailto:[email protected]>

    www.egetbetter.com <<A HREF ="http://www.egetbetter.com/> ">http://www.egetbetter.com/> </A>




    Comment


      #3
      Security issue with Miva Synchro ???



      Hi Arnold,

      If you are using the secure urls to your Miva Merchant admin in Miva
      Synchro, then it will talk to your Miva Merchant admin through a secure
      connection.

      Thanks.

      Jimmy
      Miva Support Engineer
      Please REPLY to keep message history.

      Miva Corporation
      (858) 490-2570
      Mon. - Fri., 9am - 5pm (PST)

      ***********************************
      Do you have questions? We have answers!
      Check out our FAQ at:
      <A HREF ="http://www.miva.com/support/faqs">http://www.miva.com/support/faqs</A>
      ***********************************
      NEW! Miva Service Club
      Starting at only $149/yr.
      Visit www.miva.com/support for details.
      ***********************************



      -----Original Message-----
      From: egetbetterCustomerService [mailto:[email protected]]
      Sent: Monday, September 15, 2003 10:22 AM
      To: 'Miva User Group Support'
      Subject: RE: [scu] Security issue with Miva Synchro ???


      Hi Jimmy,

      Thanks for looking into the issue.

      Just to be perfectly clear on the log files I'm concerned about.. it's the
      server log files on the system where our miva store is hosted. Local log
      files on the PC where Miva Synchro is running is an issue for us, but not as
      serious.

      And, now that my mind is on usernames and passwords, I have another
      question: is Miva Synchro protecting (e.g. SSL) the commands between the
      miva host system and the QuickBooks system? It would be particularly
      disturbing to know that usernames/passwords are going over the internet
      without protection.

      Thanks in advance for any help in getting this issue resolved.

      Arnold
      Support Services
      [email protected]
      www.egetbetter.com


      -----Original Message-----
      From: Miva User Group Support [mailto:[email protected]]
      Sent: Monday, September 15, 2003 9:30 AM
      To: 'egetbetterCustomerService'; Synchro Users
      Subject: RE: [scu] Security issue with Miva Synchro ???

      Hi Arnold,

      I see what you are talking about and how this could be risky. I'll bring it
      up with Development to see if we can provide some sort of workaround for
      this.

      However, I do believe that those log files that store the info are only
      going to be in the Beta version as they are used for troubleshooting.

      Thanks.

      Jimmy
      Miva Support Engineer
      Please REPLY to keep message history.

      Miva Corporation
      (858) 490-2570
      Mon. - Fri., 9am - 5pm (PST)

      ***********************************
      Do you have questions? We have answers!
      Check out our FAQ at:
      <A HREF ="http://www.miva.com/support/faqs">http://www.miva.com/support/faqs</A>
      ***********************************
      NEW! Miva Service Club
      Starting at only $149/yr.
      Visit www.miva.com/support for details.
      ***********************************



      -----Original Message-----
      From: egetbetterCustomerService [mailto:[email protected]]
      Sent: Sunday, September 14, 2003 12:43 AM
      To: [email protected]
      Subject: [scu] Security issue with Miva Synchro ???


      Hi,



      I'm not sure if this is the appropriate forum to raise this issue, but
      here goes:



      Over the last week or so, we've tried to implement Miva Synchro in our
      environment and have most of the functionality we need (there are lots
      of things we'd wish for, tho).



      The most significant issue we have right now is the fact that our Miva
      Admin username and password is showing up in our log files.

      For example, we see a lot of entries like:



      POST
      /plugins/MivaMerchants/admin.mvc?UserName=xxxxxxxx&Password=xxxxxxxx&S

      tore_Code=ZZZ&Module_Code=synchro&Action=SUTL&Sync hro_Action=AGRP&Screen
      =SUTL



      Very few people in our organization have access to our miva password and
      most references I've seen on security say it's bad practice to store
      username/password in files, especially unencrypted files. Is there
      something we're missing on the configuration for Miva Synchro, or is
      this just the way it is?



      Thanks in advance for any help in getting this issue resolved.



      Arnold

      Support Services

      [email protected] <mailto:[email protected]>

      www.egetbetter.com <<A HREF ="http://www.egetbetter.com/> ">http://www.egetbetter.com/> </A>




      Comment


        #4
        Security issue with Miva Synchro ???



        Hi Arnold,

        What is the name of this log file that's recording that info?

        Jimmy
        Miva Support Engineer
        Please REPLY to keep message history.

        Miva Corporation
        (858) 490-2570
        Mon. - Fri., 9am - 5pm (PST)

        ***********************************
        Do you have questions? We have answers!
        Check out our FAQ at:
        <A HREF ="http://www.miva.com/support/faqs">http://www.miva.com/support/faqs</A>
        ***********************************
        NEW! Miva Service Club
        Starting at only $149/yr.
        Visit www.miva.com/support for details.
        ***********************************



        -----Original Message-----
        From: egetbetterCustomerService [mailto:[email protected]]
        Sent: Monday, September 15, 2003 10:22 AM
        To: 'Miva User Group Support'
        Subject: RE: [scu] Security issue with Miva Synchro ???


        Hi Jimmy,

        Thanks for looking into the issue.

        Just to be perfectly clear on the log files I'm concerned about.. it's the
        server log files on the system where our miva store is hosted. Local log
        files on the PC where Miva Synchro is running is an issue for us, but not as
        serious.

        And, now that my mind is on usernames and passwords, I have another
        question: is Miva Synchro protecting (e.g. SSL) the commands between the
        miva host system and the QuickBooks system? It would be particularly
        disturbing to know that usernames/passwords are going over the internet
        without protection.

        Thanks in advance for any help in getting this issue resolved.

        Arnold
        Support Services
        [email protected]
        www.egetbetter.com


        -----Original Message-----
        From: Miva User Group Support [mailto:[email protected]]
        Sent: Monday, September 15, 2003 9:30 AM
        To: 'egetbetterCustomerService'; Synchro Users
        Subject: RE: [scu] Security issue with Miva Synchro ???

        Hi Arnold,

        I see what you are talking about and how this could be risky. I'll bring it
        up with Development to see if we can provide some sort of workaround for
        this.

        However, I do believe that those log files that store the info are only
        going to be in the Beta version as they are used for troubleshooting.

        Thanks.

        Jimmy
        Miva Support Engineer
        Please REPLY to keep message history.

        Miva Corporation
        (858) 490-2570
        Mon. - Fri., 9am - 5pm (PST)

        ***********************************
        Do you have questions? We have answers!
        Check out our FAQ at:
        <A HREF ="http://www.miva.com/support/faqs">http://www.miva.com/support/faqs</A>
        ***********************************
        NEW! Miva Service Club
        Starting at only $149/yr.
        Visit www.miva.com/support for details.
        ***********************************



        -----Original Message-----
        From: egetbetterCustomerService [mailto:[email protected]]
        Sent: Sunday, September 14, 2003 12:43 AM
        To: [email protected]
        Subject: [scu] Security issue with Miva Synchro ???


        Hi,



        I'm not sure if this is the appropriate forum to raise this issue, but
        here goes:



        Over the last week or so, we've tried to implement Miva Synchro in our
        environment and have most of the functionality we need (there are lots
        of things we'd wish for, tho).



        The most significant issue we have right now is the fact that our Miva
        Admin username and password is showing up in our log files.

        For example, we see a lot of entries like:



        POST
        /plugins/MivaMerchants/admin.mvc?UserName=xxxxxxxx&Password=xxxxxxxx&S

        tore_Code=ZZZ&Module_Code=synchro&Action=SUTL&Sync hro_Action=AGRP&Screen
        =SUTL



        Very few people in our organization have access to our miva password and
        most references I've seen on security say it's bad practice to store
        username/password in files, especially unencrypted files. Is there
        something we're missing on the configuration for Miva Synchro, or is
        this just the way it is?



        Thanks in advance for any help in getting this issue resolved.



        Arnold

        Support Services

        [email protected] <mailto:[email protected]>

        www.egetbetter.com <<A HREF ="http://www.egetbetter.com/> ">http://www.egetbetter.com/> </A>




        Comment


          #5
          Error



          We just tried to sync w/ a new file ~

          Got the following error:

          Quickbooks Error: Object "6D0000-1060915392" specified in the request
          can not be found.

          Any clue what that is?

          Michelle
          www.invitationhaven.com
          We create your personalized photo announcement or invitation to be a
          gift and become a lasting memory


          -----Original Message-----
          From: Miva User Group Support [mailto:[email protected]]
          Sent: Monday, September 15, 2003 12:48 PM
          To: 'egetbetterCustomerService'; Synchro Users
          Subject: RE: [scu] Security issue with Miva Synchro ???

          Hi Arnold,

          What is the name of this log file that's recording that info?

          Jimmy
          Miva Support Engineer
          Please REPLY to keep message history.

          Miva Corporation
          (858) 490-2570
          Mon. - Fri., 9am - 5pm (PST)

          ***********************************
          Do you have questions? We have answers!
          Check out our FAQ at:
          <A HREF ="http://www.miva.com/support/faqs">http://www.miva.com/support/faqs</A>
          ***********************************
          NEW! Miva Service Club
          Starting at only $149/yr.
          Visit www.miva.com/support for details.
          ***********************************



          -----Original Message-----
          From: egetbetterCustomerService [mailto:[email protected]]
          Sent: Monday, September 15, 2003 10:22 AM
          To: 'Miva User Group Support'
          Subject: RE: [scu] Security issue with Miva Synchro ???


          Hi Jimmy,

          Thanks for looking into the issue.

          Just to be perfectly clear on the log files I'm concerned about.. it's
          the
          server log files on the system where our miva store is hosted. Local
          log
          files on the PC where Miva Synchro is running is an issue for us, but
          not as
          serious.

          And, now that my mind is on usernames and passwords, I have another
          question: is Miva Synchro protecting (e.g. SSL) the commands between
          the
          miva host system and the QuickBooks system? It would be particularly
          disturbing to know that usernames/passwords are going over the internet
          without protection.

          Thanks in advance for any help in getting this issue resolved.

          Arnold
          Support Services
          [email protected]
          www.egetbetter.com


          -----Original Message-----
          From: Miva User Group Support [mailto:[email protected]]
          Sent: Monday, September 15, 2003 9:30 AM
          To: 'egetbetterCustomerService'; Synchro Users
          Subject: RE: [scu] Security issue with Miva Synchro ???

          Hi Arnold,

          I see what you are talking about and how this could be risky. I'll bring
          it
          up with Development to see if we can provide some sort of workaround for
          this.

          However, I do believe that those log files that store the info are only
          going to be in the Beta version as they are used for troubleshooting.

          Thanks.

          Jimmy
          Miva Support Engineer
          Please REPLY to keep message history.

          Miva Corporation
          (858) 490-2570
          Mon. - Fri., 9am - 5pm (PST)

          ***********************************
          Do you have questions? We have answers!
          Check out our FAQ at:
          <A HREF ="http://www.miva.com/support/faqs">http://www.miva.com/support/faqs</A>
          ***********************************
          NEW! Miva Service Club
          Starting at only $149/yr.
          Visit www.miva.com/support for details.
          ***********************************



          -----Original Message-----
          From: egetbetterCustomerService [mailto:[email protected]]
          Sent: Sunday, September 14, 2003 12:43 AM
          To: [email protected]
          Subject: [scu] Security issue with Miva Synchro ???


          Hi,



          I'm not sure if this is the appropriate forum to raise this issue, but
          here goes:



          Over the last week or so, we've tried to implement Miva Synchro in our
          environment and have most of the functionality we need (there are lots
          of things we'd wish for, tho).



          The most significant issue we have right now is the fact that our Miva
          Admin username and password is showing up in our log files.

          For example, we see a lot of entries like:



          POST
          /plugins/MivaMerchants/admin.mvc?UserName=xxxxxxxx&Password=xxxxxxxx&S

          tore_Code=ZZZ&Module_Code=synchro&Action=SUTL&Sync hro_Action=AGRP&Screen
          =SUTL



          Very few people in our organization have access to our miva password and
          most references I've seen on security say it's bad practice to store
          username/password in files, especially unencrypted files. Is there
          something we're missing on the configuration for Miva Synchro, or is
          this just the way it is?



          Thanks in advance for any help in getting this issue resolved.



          Arnold

          Support Services

          [email protected] <mailto:[email protected]>

          www.egetbetter.com <<A HREF ="http://www.egetbetter.com/> ">http://www.egetbetter.com/> </A>




          Comment


            #6
            Security issue with Miva Synchro ???



            Hi Arnold,

            We're working on a new release to address the log file issue you described
            here. I'll let you all know when the version is available.

            Thanks.

            Jimmy
            Miva Support Engineer
            Please REPLY to keep message history.

            Miva Corporation
            (858) 490-2570
            Mon. - Fri., 9am - 5pm (PST)

            ***********************************
            Do you have questions? We have answers!
            Check out our FAQ at:
            <A HREF ="http://www.miva.com/support/faqs">http://www.miva.com/support/faqs</A>
            ***********************************
            NEW! Miva Service Club
            Starting at only $149/yr.
            Visit www.miva.com/support for details.
            ***********************************



            -----Original Message-----
            From: egetbetterCustomerService [mailto:[email protected]]
            Sent: Monday, September 15, 2003 11:21 AM
            To: 'Miva User Group Support'
            Subject: RE: [scu] Security issue with Miva Synchro ???


            Hi Jimmy,

            The log file which I found with username/passwords is the access_log where
            the server stores all of the site access and activity.

            When we log in to the miva merchant admin interface (i.e. via browser)
            username and password does not show up, which is what we'd expected to be
            the case with Miva Synchro. In the admin interface, all that goes into the
            access_log is the reference to admin.mvc and a session ID.

            Thanks for the earlier info about the fact that a secure connection is used
            during the synchronization process.

            Arnold
            Support Services
            [email protected]
            www.egetbetter.com

            P.S. It looks like I have 2 email addresses registered for the user group
            and it's getting confusing as to which email I use to respond on with a
            reply.. I'll take care of that shortly by removing one of "me".



            -----Original Message-----
            From: Miva User Group Support [mailto:[email protected]]
            Sent: Monday, September 15, 2003 10:48 AM
            To: 'egetbetterCustomerService'; Synchro Users
            Subject: RE: [scu] Security issue with Miva Synchro ???

            Hi Arnold,

            What is the name of this log file that's recording that info?

            Jimmy
            Miva Support Engineer
            Please REPLY to keep message history.

            Miva Corporation
            (858) 490-2570
            Mon. - Fri., 9am - 5pm (PST)

            ***********************************
            Do you have questions? We have answers!
            Check out our FAQ at:
            <A HREF ="http://www.miva.com/support/faqs">http://www.miva.com/support/faqs</A>
            ***********************************
            NEW! Miva Service Club
            Starting at only $149/yr.
            Visit www.miva.com/support for details.
            ***********************************



            -----Original Message-----
            From: egetbetterCustomerService [mailto:[email protected]]
            Sent: Monday, September 15, 2003 10:22 AM
            To: 'Miva User Group Support'
            Subject: RE: [scu] Security issue with Miva Synchro ???


            Hi Jimmy,

            Thanks for looking into the issue.

            Just to be perfectly clear on the log files I'm concerned about.. it's the
            server log files on the system where our miva store is hosted. Local log
            files on the PC where Miva Synchro is running is an issue for us, but not as
            serious.

            And, now that my mind is on usernames and passwords, I have another
            question: is Miva Synchro protecting (e.g. SSL) the commands between the
            miva host system and the QuickBooks system? It would be particularly
            disturbing to know that usernames/passwords are going over the internet
            without protection.

            Thanks in advance for any help in getting this issue resolved.

            Arnold
            Support Services
            [email protected]
            www.egetbetter.com


            -----Original Message-----
            From: Miva User Group Support [mailto:[email protected]]
            Sent: Monday, September 15, 2003 9:30 AM
            To: 'egetbetterCustomerService'; Synchro Users
            Subject: RE: [scu] Security issue with Miva Synchro ???

            Hi Arnold,

            I see what you are talking about and how this could be risky. I'll bring it
            up with Development to see if we can provide some sort of workaround for
            this.

            However, I do believe that those log files that store the info are only
            going to be in the Beta version as they are used for troubleshooting.

            Thanks.

            Jimmy
            Miva Support Engineer
            Please REPLY to keep message history.

            Miva Corporation
            (858) 490-2570
            Mon. - Fri., 9am - 5pm (PST)

            ***********************************
            Do you have questions? We have answers!
            Check out our FAQ at:
            <A HREF ="http://www.miva.com/support/faqs">http://www.miva.com/support/faqs</A>
            ***********************************
            NEW! Miva Service Club
            Starting at only $149/yr.
            Visit www.miva.com/support for details.
            ***********************************



            -----Original Message-----
            From: egetbetterCustomerService [mailto:[email protected]]
            Sent: Sunday, September 14, 2003 12:43 AM
            To: [email protected]
            Subject: [scu] Security issue with Miva Synchro ???


            Hi,



            I'm not sure if this is the appropriate forum to raise this issue, but
            here goes:



            Over the last week or so, we've tried to implement Miva Synchro in our
            environment and have most of the functionality we need (there are lots
            of things we'd wish for, tho).



            The most significant issue we have right now is the fact that our Miva
            Admin username and password is showing up in our log files.

            For example, we see a lot of entries like:



            POST
            /plugins/MivaMerchants/admin.mvc?UserName=xxxxxxxx&Password=xxxxxxxx&S

            tore_Code=ZZZ&Module_Code=synchro&Action=SUTL&Sync hro_Action=AGRP&Screen
            =SUTL



            Very few people in our organization have access to our miva password and
            most references I've seen on security say it's bad practice to store
            username/password in files, especially unencrypted files. Is there
            something we're missing on the configuration for Miva Synchro, or is
            this just the way it is?



            Thanks in advance for any help in getting this issue resolved.



            Arnold

            Support Services

            [email protected] <mailto:[email protected]>

            www.egetbetter.com <<A HREF ="http://www.egetbetter.com/> ">http://www.egetbetter.com/> </A>




            Comment

            Working...
            X