Major security lapse in ofbiz. Changing order # in URL allows other orders to be viewed...

Ray Barlow wrote

Just tested this on a few versions including official ofbiz demo site
and it is a bug, so I'd say go ahead and raise a JIRA issue.

Ray

rohit2006 wrote:
> Hi,
>
> I just noticed a potentially major security loophole in ofbiz. If you login
> to the ecommerce area of ofbiz and view an order using the URL
> https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can
> view any order made by other users by changing the order number in the URL
> for eg.
> https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will
> show the order and complete details such address, last digits of credit card
> etc, even if the order was placed by another user.
>
> I hope that somebody checks if its happening to their sites too. I believe
> this is a major security lapse in ofbiz and if this error can be replicated
> by other users too, we can open a JIRA issue.
>
> I hope somebody verifies the bug very soon.
>
> Thanks
>
> rohit
>  

Walter Vaughan wrote

rohit2006 wrote:

> I just noticed a potentially major security loophole in ofbiz. If you login
> to the ecommerce area of ofbiz and view an order using the URL
> https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can
> view any order made by other users by changing the order number in the URL
> for eg.

Just so I understand the problem, what you are saying is that if you have login
permissions to view orders, you want a security permission setting to view only
orders created by person/group who created them.

Is that what you are asking?

IANAL, but it's more like you are wanting a security group that can only see
orders created by the same party_id as the current login party_id. Is that correct?

What security group are you currently using to view these orders?

--
Walter