Miva, Miva Script, Miva Empresa, Miva Mia amd Miva Merchant are registered trademarks of the Miva Corporation 		 
Ivo Truxa - truXoft control systems: advanced programming and custom IT solutions home / about / webdesign / Miva / automation / contact

http://mivo.truxoft.com
MIVO!
miva beyond limits
invert colors ] 
M I V O ! 
ABOUT 
WHAT'S NEW 
SECURITY 
RESOURCES 
MERCHANT 
HOSTING 
disclaimer 
  

MIVA®  SECURITY: Using confidential data in Miva®

by Ivo Truxa, 02/23/2000

Too often I have seen Miva script sources accidentally exposed to visitors! And it happened to me too. Nobody is perfectly safe. There are too many ways how it can happen:

  • Your own mistake during the upload of the file or maintenance of your site
  • Buggy feature in a new version of Miva engine
  • Corrupted file (.htaccess for example)
  • Mistake of your IHP during an update or a backup-restore
  • Accidental misconfiguration of Miva engine
  • File permissions incorretly set (wrong permission on .htaccess can have this effect)
  • It can happen at an update of your web server software
  • Malicious hacker exploit through another security hole on your site
  • ... and for sure some more

We often need to use sensitive data in our scripts: logins, passwords, private data, personal IDs, CC#, etc. The most current example is the MvPOP command - you need to enter a login and password for a POP account. Not exceptionally it is the same login/password as you use for your FTP or Telnet access! Accidental exposure of these data could have serious consequences.

How to avoid the exposure?

Many people store the variables in another script file (e.g. config.mv) and call it with MvDO. That's slightly better, but in most cases absolutely insufficient. Better way it is to store it in the sitevar file - but only in the case it is out of your web directory. Unfortunately, by default it use to be in your cgi-bin - not secure enough!

Store the data in your data folder! Never put it directly into your code! You can use flat file and MvIMPORT or a database.

Even if the source becomes visible, it would contain just the variable names or database calls instead of the sensitive data. Although the data are not 100% secure in your data directory off the web, to get access to your data is already much more difficult. It would be of course better to store all sensitive data encrypted.

Yes, I know it is not comfortable, but it is REALLY worth of doing it even for a small test script. It is, in most cases, exactly such a test script that you forget to delete and during some changes on your site it becomes visible in clear-text for visitors.

Black-hat hackers scan sites for such vulnerabilities. In the best case they just replace your home page, but mostly you will not even notify the intrusion. They will grab all useful information and worse - they will continue to use your site for attacks on much more important and sensitive targets. Installing, in the last days (Feb Y2K) from the Yahoo attack so popular 'Stacheldraht' for DDOS (Distrubuted Denial Of Service), could serve as an example.

Take care,
Ivo


top
   

Miva and some other terms used on this page are registerd trademarks of the Miva Corporation
copyright  truXoft  © 1997-2008