Results 1 to 3 of 3
  1. #1
    Join Date
    Dec 2004
    Location
    New York, USA
    Posts
    1,199
    Plugin Contributions
    0

    Linkpoint / YourPay API - Security Related

    Shops using the Linkpoint / YourPay API Payment Module (v1.2.x or v1.3.x), should be aware that your PEM file supplied from LP/YP is confidental!! Unless you specifically setup access restrictions to your PEM file, it can be viewed publically. This is dangerous for you the shop owner!!

    This vulnerability had been reported late last year to the module's author with no resolution.

    The solution is simple. Create a .htaccess file containing the below settings
    PHP Code:
    <Files "\.(pem)$">
    Order allow,deny
    Deny from all
    </Files
    Upload the newly created .htaccess file to directory (same as pem file location):
    ../includes/modules/payment/linkpoint_api/

    Remember to do this for your http and https related directories - if you have the PEM in both (and are using 2 separate directories for non-SSL and SSL)

    You can test the viewablity by typing the path to the file in your browser (remember to clear cache inbetween tests).
    Ex. _www.YOURDOMAIN.com/includes/modules/payment/linkpoint_api/xxxxxx.pem

    For some reason there is no official support thread for this payment module.
    The closest one is http://www.zen-cart.com/forum/showthread.php?t=39031 and is LOCKED to new posts.

  2. #2
    Join Date
    Jan 2004
    Posts
    60,423
    Blog Entries
    4
    Plugin Contributions
    144

    Default Re: Linkpoint / YourPay API - Security Related

    Contribution updated here:
    http://www.zen-cart.com/index.php?ma...roducts_id=179

    Added .htaccess and index.html to prevent theft and discovery of .PEM file.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donations always welcome: www.zen-cart.com/donate

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.



  3. #3
    Join Date
    Dec 2004
    Location
    New York, USA
    Posts
    1,199
    Plugin Contributions
    0

    Default Re: Linkpoint / YourPay API - Security Related

    Great!! Thanks for adding that to the packaged contribution DrByte!!

 

 

Similar Threads

  1. LinkPoint API still a problem
    By virtue in forum Basic Configuration
    Replies: 6
    Last Post: 17 May 2006, 06:17 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •