Changing order # in URL allows orders made by other users to be viewed...
-------------------------------------------------------------------------
Key: OFBIZ-672
URL: https://issues.apache.org/jira/browse/OFBIZ-672
Project: OFBiz (The Open for Business Project)
Issue Type: Bug
Components: ecommerce
Affects Versions: SVN trunk
Reporter: Rohit Sureka
Priority: Blocker
If you login to the ecommerce area of ofbiz and view an order using the URL
https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can
view any order made by other users by changing the order number in the URL for
eg. https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550,
will show the order #10550 and complete details such address, last digits of
credit card etc, even if the order was placed by another user.
I believe this is a very serious security issue as well, hence i have given the
highest priority ratings to this issue.
Rohit
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
