[jira] [Commented] (OFBIZ-11836) IDOR vulnerability in the order processing feature in ecommerce component

Fri, 26 Jun 2020 00:33:41 -0700 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-11836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17146097#comment-17146097
 ] 

ASF subversion and git services commented on OFBIZ-11836:
---------------------------------------------------------

Commit 34c02e3bde4c45ab94b594a5102842eb37a7586d in ofbiz-framework's branch 
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=34c02e3 ]

Fixed: IDOR vulnerability in the order processing feature in ecommerce 
component (OFBIZ-11836)

https://demo-stable.ofbiz.apache.org/ecommerce/control/order.pdf?orderId=WSCO10000

In the above URL, the parameter 'orderId' has the value 'WSCO10000' and after
incrementing the value to 'WSCO10001' or 'WSCO10002' will download the receipt
of other orders which have been placed by other users.

All the available order receipts can be downloaded by running an automated tool
(Burp Intruder) on the parameter 'orderId=WSCOXXXXX'

I have successfully tested this by using 2 different accounts: DemoCustomer and
DemoCustomer2

An attacker can download order receipts of other users and this could lead to
information disclosure.

The only real solution to this issue is to implement access control. The user
needs to be authorized for the requested information before the server provides
it.

Thanks: Harshit Shukla [mailto:[email protected]]reported this IDOR
vulnerability to the OFBiz security team, and we thank him for that.


> IDOR vulnerability in the order processing feature in ecommerce component
> -------------------------------------------------------------------------
>
>                 Key: OFBIZ-11836
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11836
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ecommerce, order
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>
> Harshit Shukla [mailto:[email protected]]reported this IDOR 
> vulnerability to the OFBiz security team, and we thank him for that.
> I'll later quote here his email message when the vulnerability will be fixed. 
> It's a post-auth vulnerability so we did not ask for a CVE. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to