[
https://issues.apache.org/jira/browse/OFBIZ-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12468919
]
Rohit Sureka commented on OFBIZ-672:
------------------------------------
Hi Jacopo,
I did a quick check of your commit. I created orders using both normal checkout
and the new quick checkout and everything seems to be working fine. If i change
the order number in URL for a order created by another user, i get the
following message "The specified order was not found, please try again."
I guess this is normal behavior.
I am just curious if it is possible to encrypt the data passed into the URL, to
discourage people from getting fancy ideas. Its just an idea from google
checkout.
Rohit
> Changing order # in URL allows orders made by other users to be viewed...
> -------------------------------------------------------------------------
>
> Key: OFBIZ-672
> URL: https://issues.apache.org/jira/browse/OFBIZ-672
> Project: OFBiz (The Open for Business Project)
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Rohit Sureka
> Priority: Critical
>
> If you login to the ecommerce area of ofbiz and view an order using the URL
> https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can
> view any order made by other users by changing the order number in the URL
> for eg.
> https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will
> show the order #10550 and complete details such address, last digits of
> credit card etc, even if the order was placed by another user.
> I believe this is a very serious security issue as well, hence i have given
> the highest priority ratings to this issue.
> Rohit
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
