[
https://issues.apache.org/jira/browse/OFBIZ-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12469363
]
Rohit Sureka commented on OFBIZ-672:
------------------------------------
Jacques,
i did love to contribute to ofbiz, but i am not a programmer, if suggestions
and bug information are welcome, i would gladly do that.
Jacopo,
I guess you commit addresses this issue and now a user cannot look into orders
created by another user.
I just had a suggestion, if someone clicks on a order link and the order ID is
not available, a long error is thrown on the screen. It would probably be nice
if a message similar to "The specified order was not found, please try again."
is shown instead of the ofbiz error log.
Rohit
> Changing order # in URL allows orders made by other users to be viewed...
> -------------------------------------------------------------------------
>
> Key: OFBIZ-672
> URL: https://issues.apache.org/jira/browse/OFBIZ-672
> Project: OFBiz (The Open for Business Project)
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Rohit Sureka
> Priority: Critical
>
> If you login to the ecommerce area of ofbiz and view an order using the URL
> https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can
> view any order made by other users by changing the order number in the URL
> for eg.
> https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will
> show the order #10550 and complete details such address, last digits of
> credit card etc, even if the order was placed by another user.
> I believe this is a very serious security issue as well, hence i have given
> the highest priority ratings to this issue.
> Rohit
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
