Yes, but what value the user would put in checkOutPaymentId?
I mean how would he know what to put there?
It must be a valid value for a PaymentMethod.
Of course s/he could try to hack, generating random numbers.
But it's quite complicated since you woul have to checkout with each generated numbers until you get one corresponding to the right PaymentMethod...
Anyway, if not already done, we could indeed check that this value is not changed.
You could create a Jira, attaching a patch would be appreciated, we could use a session attribute for that.
Jacques
From: "Mason Harding" <
[hidden email]>
> Well it is data that is posted by the user, so they could send whatever
> they want. I think the easiest way would be to use Firebug to change the
> value of "checkOutPaymentId" to a different value, click on that radio
> input, and submit the form. They could also use Curl, or write a simple
> program to post values after logging in and fetching the cookie.
>
>
> On Sat, Apr 20, 2013 at 8:03 AM, Jacques Le Roux <
>
[hidden email]> wrote:
>
>> Reversing the question: how would the user change it?
>>
>> Jacques
>>
>> From: "Mason Harding" <
[hidden email]>
>> > Hello. I am looking at the page
>> > /ecommerce/control/updateCheckoutOptions/quickcheckout, and see that you
>> > can set a "checkOutPaymentId" that is posted to
>> /ecommerce/control/checkout.
>> > I've followed the code all the way to the payment gateway, but don't see
>> > any security verifying that the user didn't change the checkOutPaymentId
>> to
>> > one that is not their own before posting. I assume I am missing
>> > something?
>> >
>> > Thanks,
>> > Mason
>> >
>>
>
Locked
