[jira] Created: (OFBIZ-672) Changing order # in URL allows orders made by other users to be viewed...
Locked
[jira] Created: (OFBIZ-672) Changing order # in URL allows orders made by other users to be viewed...
 
|
Changing order # in URL allows orders made by other users to be viewed...
------------------------------------------------------------------------- Key: OFBIZ-672 URL: https://issues.apache.org/jira/browse/OFBIZ-672 Project: OFBiz (The Open for Business Project) Issue Type: Bug Components: ecommerce Affects Versions: SVN trunk Reporter: Rohit Sureka Priority: Blocker If you login to the ecommerce area of ofbiz and view an order using the URL https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can view any order made by other users by changing the order number in the URL for eg. https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will show the order #10550 and complete details such address, last digits of credit card etc, even if the order was placed by another user. I believe this is a very serious security issue as well, hence i have given the highest priority ratings to this issue. Rohit -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Updated: (OFBIZ-672) Changing order # in URL allows orders made by other users to be viewed...
|
|
[ https://issues.apache.org/jira/browse/OFBIZ-672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-672: ---------------------------------- Priority: Critical (was: Blocker) Sorry Rohit, this is not a blocking issue, just critical. > Changing order # in URL allows orders made by other users to be viewed... > ------------------------------------------------------------------------- > > Key: OFBIZ-672 > URL: https://issues.apache.org/jira/browse/OFBIZ-672 > Project: OFBiz (The Open for Business Project) > Issue Type: Bug > Components: ecommerce > Affects Versions: SVN trunk > Reporter: Rohit Sureka > Priority: Critical > > If you login to the ecommerce area of ofbiz and view an order using the URL https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can view any order made by other users by changing the order number in the URL for eg. https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will show the order #10550 and complete details such address, last digits of credit card etc, even if the order was placed by another user. > I believe this is a very serious security issue as well, hence i have given the highest priority ratings to this issue. > Rohit -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-672) Changing order # in URL allows orders made by other users to be viewed...
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12468771 ] David E. Jones commented on OFBIZ-672: -------------------------------------- How the #$%^ did this happen? There used to be security checks throughout ecommerce to make sure that the logged in user was associated with the data, in this case through an OrderRole record. This is pretty annoying. Whoever popped that out better fix it right away or find a big rock to hide behind.... ;) The problem is it's way easier to fix than to trace back through the code and see who broke it. > Changing order # in URL allows orders made by other users to be viewed... > ------------------------------------------------------------------------- > > Key: OFBIZ-672 > URL: https://issues.apache.org/jira/browse/OFBIZ-672 > Project: OFBiz (The Open for Business Project) > Issue Type: Bug > Components: ecommerce > Affects Versions: SVN trunk > Reporter: Rohit Sureka > Priority: Critical > > If you login to the ecommerce area of ofbiz and view an order using the URL https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can view any order made by other users by changing the order number in the URL for eg. https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will show the order #10550 and complete details such address, last digits of credit card etc, even if the order was placed by another user. > I believe this is a very serious security issue as well, hence i have given the highest priority ratings to this issue. > Rohit -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-672) Changing order # in URL allows orders made by other users to be viewed...
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12468847 ] Jonathon Wong commented on OFBIZ-672: ------------------------------------- I was about to say that my web applications "[made] sure that the logged in user was associated with the data". In this case, my permissions checks would work from the Order number all the way down to form a complete link with the "logged in user". In OFBiz, that's simple enough. In my multi-customer web apps, there'd be quite a long link to trace through, eg Order number to Client number to Client Customer number to whatever to Logged In User. This issue is serious, but I don't think it's apocalyptic since it doesn't stem from the framework itself. I wouldn't ask "are there any other similar issues" at this point, since there's no way to tell. But this has prompted me to add to top of my pre-production pre-flight to-do list: audit every single function in OFBiz-ERP (not OFBiz framework). I hope my boss doesn't see this. Sigh. > Changing order # in URL allows orders made by other users to be viewed... > ------------------------------------------------------------------------- > > Key: OFBIZ-672 > URL: https://issues.apache.org/jira/browse/OFBIZ-672 > Project: OFBiz (The Open for Business Project) > Issue Type: Bug > Components: ecommerce > Affects Versions: SVN trunk > Reporter: Rohit Sureka > Priority: Critical > > If you login to the ecommerce area of ofbiz and view an order using the URL https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can view any order made by other users by changing the order number in the URL for eg. https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will show the order #10550 and complete details such address, last digits of credit card etc, even if the order was placed by another user. > I believe this is a very serious security issue as well, hence i have given the highest priority ratings to this issue. > Rohit -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-672) Changing order # in URL allows orders made by other users to be viewed...
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12468874 ] Jacopo Cappellato commented on OFBIZ-672: ----------------------------------------- Please see my commit with rev. 501733 that should fix the issue. However I've not fully tested it, especially with orders created by anonymous users, so I'll leave open the issue for now. > Changing order # in URL allows orders made by other users to be viewed... > ------------------------------------------------------------------------- > > Key: OFBIZ-672 > URL: https://issues.apache.org/jira/browse/OFBIZ-672 > Project: OFBiz (The Open for Business Project) > Issue Type: Bug > Components: ecommerce > Affects Versions: SVN trunk > Reporter: Rohit Sureka > Priority: Critical > > If you login to the ecommerce area of ofbiz and view an order using the URL https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can view any order made by other users by changing the order number in the URL for eg. https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will show the order #10550 and complete details such address, last digits of credit card etc, even if the order was placed by another user. > I believe this is a very serious security issue as well, hence i have given the highest priority ratings to this issue. > Rohit -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-672) Changing order # in URL allows orders made by other users to be viewed...
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12468886 ] Chris Howe commented on OFBIZ-672: ---------------------------------- I'm not in front of an environment to see specifically what it uses, but in the order manager app, when you're viewing an invoice and you click the "send email" link the correct permission check is done. What ever method the order manager uses, the ecommerce should be using as well. > Changing order # in URL allows orders made by other users to be viewed... > ------------------------------------------------------------------------- > > Key: OFBIZ-672 > URL: https://issues.apache.org/jira/browse/OFBIZ-672 > Project: OFBiz (The Open for Business Project) > Issue Type: Bug > Components: ecommerce > Affects Versions: SVN trunk > Reporter: Rohit Sureka > Priority: Critical > > If you login to the ecommerce area of ofbiz and view an order using the URL https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can view any order made by other users by changing the order number in the URL for eg. https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will show the order #10550 and complete details such address, last digits of credit card etc, even if the order was placed by another user. > I believe this is a very serious security issue as well, hence i have given the highest priority ratings to this issue. > Rohit -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
|
|
In reply to this post by Nicolas Malin (Jira)
Hi,
"Blocker or critical" no issues, i wanted this to get maximum attention ASAP, which it did and seems to have been promptly addressed. Rohit
|
[jira] Commented: (OFBIZ-672) Changing order # in URL allows orders made by other users to be viewed...
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12468919 ] Rohit Sureka commented on OFBIZ-672: ------------------------------------ Hi Jacopo, I did a quick check of your commit. I created orders using both normal checkout and the new quick checkout and everything seems to be working fine. If i change the order number in URL for a order created by another user, i get the following message "The specified order was not found, please try again." I guess this is normal behavior. I am just curious if it is possible to encrypt the data passed into the URL, to discourage people from getting fancy ideas. Its just an idea from google checkout. Rohit > Changing order # in URL allows orders made by other users to be viewed... > ------------------------------------------------------------------------- > > Key: OFBIZ-672 > URL: https://issues.apache.org/jira/browse/OFBIZ-672 > Project: OFBiz (The Open for Business Project) > Issue Type: Bug > Components: ecommerce > Affects Versions: SVN trunk > Reporter: Rohit Sureka > Priority: Critical > > If you login to the ecommerce area of ofbiz and view an order using the URL https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can view any order made by other users by changing the order number in the URL for eg. https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will show the order #10550 and complete details such address, last digits of credit card etc, even if the order was placed by another user. > I believe this is a very serious security issue as well, hence i have given the highest priority ratings to this issue. > Rohit -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-672) Changing order # in URL allows orders made by other users to be viewed...
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12468958 ] Jacques Le Roux commented on OFBIZ-672: --------------------------------------- Rohit, There was already an effort in this way for other reasons https://issues.apache.org/jira/browse/OFBIZ-260. Do you want to joint ? I have not time for the moment to go further. > Changing order # in URL allows orders made by other users to be viewed... > ------------------------------------------------------------------------- > > Key: OFBIZ-672 > URL: https://issues.apache.org/jira/browse/OFBIZ-672 > Project: OFBiz (The Open for Business Project) > Issue Type: Bug > Components: ecommerce > Affects Versions: SVN trunk > Reporter: Rohit Sureka > Priority: Critical > > If you login to the ecommerce area of ofbiz and view an order using the URL https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can view any order made by other users by changing the order number in the URL for eg. https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will show the order #10550 and complete details such address, last digits of credit card etc, even if the order was placed by another user. > I believe this is a very serious security issue as well, hence i have given the highest priority ratings to this issue. > Rohit -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-672) Changing order # in URL allows orders made by other users to be viewed...
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12469363 ] Rohit Sureka commented on OFBIZ-672: ------------------------------------ Jacques, i did love to contribute to ofbiz, but i am not a programmer, if suggestions and bug information are welcome, i would gladly do that. Jacopo, I guess you commit addresses this issue and now a user cannot look into orders created by another user. I just had a suggestion, if someone clicks on a order link and the order ID is not available, a long error is thrown on the screen. It would probably be nice if a message similar to "The specified order was not found, please try again." is shown instead of the ofbiz error log. Rohit > Changing order # in URL allows orders made by other users to be viewed... > ------------------------------------------------------------------------- > > Key: OFBIZ-672 > URL: https://issues.apache.org/jira/browse/OFBIZ-672 > Project: OFBiz (The Open for Business Project) > Issue Type: Bug > Components: ecommerce > Affects Versions: SVN trunk > Reporter: Rohit Sureka > Priority: Critical > > If you login to the ecommerce area of ofbiz and view an order using the URL https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can view any order made by other users by changing the order number in the URL for eg. https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will show the order #10550 and complete details such address, last digits of credit card etc, even if the order was placed by another user. > I believe this is a very serious security issue as well, hence i have given the highest priority ratings to this issue. > Rohit -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-672) Changing order # in URL allows orders made by other users to be viewed...
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12469381 ] Jacques Le Roux commented on OFBIZ-672: --------------------------------------- Rohit, Sure this is a great way to contribute ! BTW do you mean that you clicked on an existing link or have changed value in URL manually has you mentionned in your 1st comment ? > Changing order # in URL allows orders made by other users to be viewed... > ------------------------------------------------------------------------- > > Key: OFBIZ-672 > URL: https://issues.apache.org/jira/browse/OFBIZ-672 > Project: OFBiz (The Open for Business Project) > Issue Type: Bug > Components: ecommerce > Affects Versions: SVN trunk > Reporter: Rohit Sureka > Priority: Critical > > If you login to the ecommerce area of ofbiz and view an order using the URL https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can view any order made by other users by changing the order number in the URL for eg. https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will show the order #10550 and complete details such address, last digits of credit card etc, even if the order was placed by another user. > I believe this is a very serious security issue as well, hence i have given the highest priority ratings to this issue. > Rohit -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Resolved: (OFBIZ-672) Changing order # in URL allows orders made by other users to be viewed...
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacopo Cappellato resolved OFBIZ-672. ------------------------------------- Resolution: Fixed > Changing order # in URL allows orders made by other users to be viewed... > ------------------------------------------------------------------------- > > Key: OFBIZ-672 > URL: https://issues.apache.org/jira/browse/OFBIZ-672 > Project: OFBiz (The Open for Business Project) > Issue Type: Bug > Components: ecommerce > Affects Versions: SVN trunk > Reporter: Rohit Sureka > Priority: Critical > > If you login to the ecommerce area of ofbiz and view an order using the URL https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can view any order made by other users by changing the order number in the URL for eg. https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will show the order #10550 and complete details such address, last digits of credit card etc, even if the order was placed by another user. > I believe this is a very serious security issue as well, hence i have given the highest priority ratings to this issue. > Rohit -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Closed: (OFBIZ-672) Changing order # in URL allows orders made by other users to be viewed...
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacopo Cappellato closed OFBIZ-672. ----------------------------------- > Changing order # in URL allows orders made by other users to be viewed... > ------------------------------------------------------------------------- > > Key: OFBIZ-672 > URL: https://issues.apache.org/jira/browse/OFBIZ-672 > Project: OFBiz (The Open for Business Project) > Issue Type: Bug > Components: ecommerce > Affects Versions: SVN trunk > Reporter: Rohit Sureka > Priority: Critical > > If you login to the ecommerce area of ofbiz and view an order using the URL https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can view any order made by other users by changing the order number in the URL for eg. https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will show the order #10550 and complete details such address, last digits of credit card etc, even if the order was placed by another user. > I believe this is a very serious security issue as well, hence i have given the highest priority ratings to this issue. > Rohit -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
«
Return to OFBiz - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |