[
https://issues.apache.org/jira/browse/OFBIZ-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12468886
]
Chris Howe commented on OFBIZ-672:
----------------------------------
I'm not in front of an environment to see specifically what it uses, but in the
order manager app, when you're viewing an invoice and you click the "send
email" link the correct permission check is done. What ever method the order
manager uses, the ecommerce should be using as well.
> Changing order # in URL allows orders made by other users to be viewed...
> -------------------------------------------------------------------------
>
> Key: OFBIZ-672
> URL: https://issues.apache.org/jira/browse/OFBIZ-672
> Project: OFBiz (The Open for Business Project)
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Rohit Sureka
> Priority: Critical
>
> If you login to the ecommerce area of ofbiz and view an order using the URL
> https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can
> view any order made by other users by changing the order number in the URL
> for eg.
> https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will
> show the order #10550 and complete details such address, last digits of
> credit card etc, even if the order was placed by another user.
> I believe this is a very serious security issue as well, hence i have given
> the highest priority ratings to this issue.
> Rohit
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
