[jira] [Commented] (OFBIZ-11836) IDOR vulnerability in the order processing feature in ecommerce component

Sat, 27 Jun 2020 01:49:34 -0700 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-11836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17146844#comment-17146844
 ] 

ASF subversion and git services commented on OFBIZ-11836:
---------------------------------------------------------

Commit 47b16d404436f72a484416aba34b5784e36090cd in ofbiz-framework's branch 
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=47b16d4 ]

Fixed: IDOR vulnerability in the order processing feature in ecommerce 
component (OFBIZ-11836)

Fixes a bug when there are no problem viewing the order, my bad


> IDOR vulnerability in the order processing feature in ecommerce component
> -------------------------------------------------------------------------
>
>                 Key: OFBIZ-11836
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11836
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ecommerce, order
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 18.12.01, 17.12.04
>
>
> Harshit Shukla [mailto:[email protected]]reported this IDOR 
> vulnerability to the OFBiz security team, and we thank him for that.
> I'll later quote here his email message when the vulnerability will be fixed. 
> It's a post-auth vulnerability so we did not ask for a CVE.
> Here is Harshit's message slightly edited:
> {quote}
> https://demo-stable.ofbiz.apache.org/ecommerce/control/order.pdf?orderId=WSCO10000
> In the above URL, the parameter 'orderId' has the value 'WSCO10000' and after 
> incrementing the value to 'WSCO10001' or 'WSCO10002' will download the 
> receipt of other orders which have been placed by other users.
> All the available order receipts can be downloaded by running an automated 
> tool (Burp Intruder) on the parameter 'orderId=WSCOXXXXX'
> I have successfully tested this by using 2 different accounts: DemoCustomer 
> and DemoCustomer2 ([~jleroux] edited)
> An attacker can download order receipts of other users and this could lead to 
> information disclosure.
> The only real solution to this issue is to implement access control. The user 
> needs to be authorized for the requested information before the server 
> provides it.
> Reference:https://blog.detectify.com/2016/05/25/owasp-top-10-insecure-direct-object-reference-4/
> {quote}
> Only ecommerce is affected because we have secure permissions in backorder 
> components (ERP)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to