Hi, "Blocker or critical" no issues, i wanted this to get maximum attention ASAP, which it did and seems to have been promptly addressed.
Rohit JIRA [EMAIL PROTECTED] wrote: > > > [ > https://issues.apache.org/jira/browse/OFBIZ-672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel > ] > > Jacques Le Roux updated OFBIZ-672: > ---------------------------------- > > Priority: Critical (was: Blocker) > > Sorry Rohit, this is not a blocking issue, just critical. > >> Changing order # in URL allows orders made by other users to be viewed... >> ------------------------------------------------------------------------- >> >> Key: OFBIZ-672 >> URL: https://issues.apache.org/jira/browse/OFBIZ-672 >> Project: OFBiz (The Open for Business Project) >> Issue Type: Bug >> Components: ecommerce >> Affects Versions: SVN trunk >> Reporter: Rohit Sureka >> Priority: Critical >> >> If you login to the ecommerce area of ofbiz and view an order using the >> URL https://www.example.com/ecommerce/control/orderstatus?orderId=10330, >> you can view any order made by other users by changing the order number >> in the URL for eg. >> https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, >> will show the order #10550 and complete details such address, last digits >> of credit card etc, even if the order was placed by another user. >> I believe this is a very serious security issue as well, hence i have >> given the highest priority ratings to this issue. >> Rohit > > -- > This message is automatically generated by JIRA. > - > You can reply to this email to add a comment to the issue online. > > > -- View this message in context: http://www.nabble.com/-jira--Created%3A-%28OFBIZ-672%29-Changing-order---in-URL-allows-orders-made-by-other-users-to-be-viewed...-tf3144302.html#a8724732 Sent from the OFBiz - Dev mailing list archive at Nabble.com.
