Major security lapse in ofbiz. Changing order # in URL allows other orders to be viewed...

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Major security lapse in ofbiz. Changing order # in URL allows other orders to be viewed...

rohit
Hi,

I just noticed a potentially major security loophole in ofbiz. If you login to the ecommerce area of ofbiz and view an order using the URL https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can view any order made by other users by changing the order number in the URL for eg. https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will show the order and complete details such address, last digits of credit card etc, even if the order was placed by another user.

I hope that somebody checks if its happening to their sites too. I believe this is a major security lapse in ofbiz and if this error can be replicated by other users too, we can open a JIRA issue.

I hope somebody verifies the bug very soon.

Thanks

rohit
Reply | Threaded
Open this post in threaded view
|

Re: Major security lapse in ofbiz. Changing order # in URL allows other orders to be viewed...

Ray Barlow
Just tested this on a few versions including official ofbiz demo site
and it is a bug, so I'd say go ahead and raise a JIRA issue.

Ray

rohit2006 wrote:

> Hi,
>
> I just noticed a potentially major security loophole in ofbiz. If you login
> to the ecommerce area of ofbiz and view an order using the URL
> https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can
> view any order made by other users by changing the order number in the URL
> for eg.
> https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will
> show the order and complete details such address, last digits of credit card
> etc, even if the order was placed by another user.
>
> I hope that somebody checks if its happening to their sites too. I believe
> this is a major security lapse in ofbiz and if this error can be replicated
> by other users too, we can open a JIRA issue.
>
> I hope somebody verifies the bug very soon.
>
> Thanks
>
> rohit
>  
Reply | Threaded
Open this post in threaded view
|

Re: Major security lapse in ofbiz. Changing order # in URL allows other orders to be viewed...

Jacques Le Roux
Administrator
Yes definitively a bug.

Jacques

----- Original Message -----
From: "Ray Barlow" <[hidden email]>
To: <[hidden email]>
Sent: Tuesday, January 30, 2007 7:18 PM
Subject: Re: Major security lapse in ofbiz. Changing order # in URL allows other orders to be viewed...


> Just tested this on a few versions including official ofbiz demo site
> and it is a bug, so I'd say go ahead and raise a JIRA issue.
>
> Ray
>
> rohit2006 wrote:
> > Hi,
> >
> > I just noticed a potentially major security loophole in ofbiz. If you login
> > to the ecommerce area of ofbiz and view an order using the URL
> > https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can
> > view any order made by other users by changing the order number in the URL
> > for eg.
> > https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will
> > show the order and complete details such address, last digits of credit card
> > etc, even if the order was placed by another user.
> >
> > I hope that somebody checks if its happening to their sites too. I believe
> > this is a major security lapse in ofbiz and if this error can be replicated
> > by other users too, we can open a JIRA issue.
> >
> > I hope somebody verifies the bug very soon.
> >
> > Thanks
> >
> > rohit
> >
Reply | Threaded
Open this post in threaded view
|

Re: Major security lapse in ofbiz. Changing order # in URL allows other orders to be viewed...

rohit
In reply to this post by Ray Barlow
I have created a JIRA issue at https://issues.apache.org/jira/browse/OFBIZ-672

Rohit

Ray Barlow wrote
Just tested this on a few versions including official ofbiz demo site
and it is a bug, so I'd say go ahead and raise a JIRA issue.

Ray

rohit2006 wrote:
> Hi,
>
> I just noticed a potentially major security loophole in ofbiz. If you login
> to the ecommerce area of ofbiz and view an order using the URL
> https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can
> view any order made by other users by changing the order number in the URL
> for eg.
> https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will
> show the order and complete details such address, last digits of credit card
> etc, even if the order was placed by another user.
>
> I hope that somebody checks if its happening to their sites too. I believe
> this is a major security lapse in ofbiz and if this error can be replicated
> by other users too, we can open a JIRA issue.
>
> I hope somebody verifies the bug very soon.
>
> Thanks
>
> rohit
>  
Reply | Threaded
Open this post in threaded view
|

Re: Major security lapse in ofbiz. Changing order # in URL allows other orders to be viewed...

Walter Vaughan
In reply to this post by rohit
rohit2006 wrote:

> I just noticed a potentially major security loophole in ofbiz. If you login
> to the ecommerce area of ofbiz and view an order using the URL
> https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can
> view any order made by other users by changing the order number in the URL
> for eg.

Just so I understand the problem, what you are saying is that if you have login
permissions to view orders, you want a security permission setting to view only
orders created by person/group who created them.

Is that what you are asking?

IANAL, but it's more like you are wanting a security group that can only see
orders created by the same party_id as the current login party_id. Is that correct?

What security group are you currently using to view these orders?

--
Walter



Reply | Threaded
Open this post in threaded view
|

Re: Major security lapse in ofbiz. Changing order # in URL allows other orders to be viewed...

rohit
"security permission setting to view only
orders created by person/group who created them."

I guess this is normal expectancy from the ecommnerce application. I am sure nobody wants their orders to be view by other users and get access to their personal info.

I have not fully digged into, security permission, but basically i am using the default setup, with minor touches here and there.

Rohit

Walter Vaughan wrote
rohit2006 wrote:

> I just noticed a potentially major security loophole in ofbiz. If you login
> to the ecommerce area of ofbiz and view an order using the URL
> https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can
> view any order made by other users by changing the order number in the URL
> for eg.

Just so I understand the problem, what you are saying is that if you have login
permissions to view orders, you want a security permission setting to view only
orders created by person/group who created them.

Is that what you are asking?

IANAL, but it's more like you are wanting a security group that can only see
orders created by the same party_id as the current login party_id. Is that correct?

What security group are you currently using to view these orders?

--
Walter