[
https://issues.apache.org/jira/browse/OFBIZ-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12468771
]
David E. Jones commented on OFBIZ-672:
--------------------------------------
How the #$%^ did this happen?
There used to be security checks throughout ecommerce to make sure that the
logged in user was associated with the data, in this case through an OrderRole
record.
This is pretty annoying. Whoever popped that out better fix it right away or
find a big rock to hide behind.... ;)
The problem is it's way easier to fix than to trace back through the code and
see who broke it.
> Changing order # in URL allows orders made by other users to be viewed...
> -------------------------------------------------------------------------
>
> Key: OFBIZ-672
> URL: https://issues.apache.org/jira/browse/OFBIZ-672
> Project: OFBiz (The Open for Business Project)
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Rohit Sureka
> Priority: Critical
>
> If you login to the ecommerce area of ofbiz and view an order using the URL
> https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can
> view any order made by other users by changing the order number in the URL
> for eg.
> https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will
> show the order #10550 and complete details such address, last digits of
> credit card etc, even if the order was placed by another user.
> I believe this is a very serious security issue as well, hence i have given
> the highest priority ratings to this issue.
> Rohit
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
