[jira] Commented: (OFBIZ-672) Changing order # in URL allows orders made by other users to be viewed...

Tue, 30 Jan 2007 17:11:54 -0800 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12468847
 ] 

Jonathon Wong commented on OFBIZ-672:
-------------------------------------

I was about to say that my web applications "[made] sure that the logged in 
user was associated with the data". In this case, my permissions checks would 
work from the Order number all the way down to form a complete link with the 
"logged in user".

In OFBiz, that's simple enough. In my multi-customer web apps, there'd be quite 
a long link to trace through, eg Order number to Client number to Client 
Customer number to whatever to Logged In User.

This issue is serious, but I don't think it's apocalyptic since it doesn't stem 
from the framework itself. I wouldn't ask "are there any other similar issues" 
at this point, since there's no way to tell.

But this has prompted me to add to top of my pre-production pre-flight to-do 
list: audit every single function in OFBiz-ERP (not OFBiz framework).

I hope my boss doesn't see this. Sigh.

> Changing order # in URL allows orders made by other users to be viewed...
> -------------------------------------------------------------------------
>
>                 Key: OFBIZ-672
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-672
>             Project: OFBiz (The Open for Business Project)
>          Issue Type: Bug
>          Components: ecommerce
>    Affects Versions: SVN trunk
>            Reporter: Rohit Sureka
>            Priority: Critical
>
> If you login to the ecommerce area of ofbiz and view an order using the URL 
> https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can 
> view any order made by other users by changing the order number in the URL 
> for eg. 
> https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will 
> show the order #10550 and complete details such address, last digits of 
> credit card etc, even if the order was placed by another user. 
> I believe this is a very serious security issue as well, hence i have given 
> the highest priority ratings to this issue. 
> Rohit

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to