CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using CiviMember (Moderator: Deepak Srivastava) »
  • Cron Job Exposes Password and Site key in Email Header- UpdateMembershipRecord.p
Pages: [1]

Author Topic: Cron Job Exposes Password and Site key in Email Header- UpdateMembershipRecord.p  (Read 1722 times)

chapmanla

  • I post occasionally
  • **
  • Posts: 43
  • Karma: 1
  • CiviCRM version: 4.3.1
  • CMS version: Joomla 2.5.11
  • MySQL version: 5.0.95
  • PHP version: 5.2.5
Cron Job Exposes Password and Site key in Email Header- UpdateMembershipRecord.p
March 02, 2011, 06:44:28 pm
I happened to look at the email header for a Membership Renewal Reminder email sent through the UpdateMembershipRecord.php cron job.  If you follow the instructions at http://wiki.civicrm.org/confluence/display/CRMDOC33/Membership+Types, then the entire cron job command line is contained in the email's raw header, including username, password and sitekey.  Here is what I am seeing as part of the email header:

Code: [Select]
X-SG-Opt:  SCRIPT_FILENAME=/home/XXXXX/public_html/administrator/components/com_civicrm/civicrm/bin/UpdateMembershipRecord.php REQUEST_URI=/administrator/components/com_civicrm/civicrm/bin/UpdateMembershipRecord.php?%20name=XXXXX&pass=XXXXXX&key=XXXXXXXXXXXXXXXXXXXXX PWD=/home/XXXXX/public_html/administrator/components/com_civicrm/civicrm/bin
I have replaced the confidential info with X's.  I don't know if this is typical email-header behavior or something unique to my shared hosting service (Siteground).

I am sure that people more experienced in cron jobs already know this, but I wanted to tell the newbies out there that it is probably better to use the "--post-data' approach described at http://wiki.civicrm.org/confluence/display/CRMDOC33/CiviMail+Installation for all cron job's requiring confidential info (it is currently described only for civimail.chronjob.php).  Once I changed the cron command line to use the "post-data" approach, the same part of the email header changed to:
Code: [Select]
X-Sg-Opt: SCRIPT_FILENAME=/home/XXXXX/public_html/administrator/components/com_civicrm/civicrm/bin/UpdateMembershipRecord.php  REQUEST_URI=/administrator/components/com_civicrm/civicrm/bin/UpdateMembershipRecord.php  PWD=/home/XXXXX/public_html/administrator/components/com_civicrm/civicrm/bin
If I am misunderstanding the documentation for UpdateMembershipRecord.php, please let me know.  Otherwise, it might be a good idea to change the documentation on this. 

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Cron Job Exposes Password and Site key in Email Header- UpdateMembershipRecord.p
March 02, 2011, 07:18:16 pm

that header is added by SiteGround (SG) and is specific to their hosting, note the name:

X-SG-Opt

however, using POST is definitely more recommended than GET

we should probably also think about fixing this in cli.php and read the name/pass from a file rather than command line

lobo

A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using CiviMember (Moderator: Deepak Srivastava) »
  • Cron Job Exposes Password and Site key in Email Header- UpdateMembershipRecord.p

This forum was archived on 2017-11-26.