Forrest Rae created OFBIZ-6207:
----------------------------------
Summary: Anyone can view any Request or Quote
Key: OFBIZ-6207
URL:
https://issues.apache.org/jira/browse/OFBIZ-6207 Project: OFBiz
Issue Type: Bug
Components: specialpurpose/ecommerce
Affects Versions: Trunk
Reporter: Forrest Rae
Priority: Critical
Attachments: OFBIZ-6207.patch
This is a security bug in the ecommerce application. Anyone can view any quote or request in the system regardless of the associated partyId. They can do this via URL parameter manipulation.
Reproduction:
1) Login to the ecommerce application as DemoCustomer.
2) Navigate to
http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9000 to view your own request.
3) Navigate to
http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9001 to view DemoCustAgent's request.
4) Navigate to
http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9002 to view DemoCustomer2's request.
Same goes for Quotes, although there are no quotes in the Demo data. The attach patch fixes this issue.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Locked
