[ofbiz-framework] branch release17.12 updated: Fixed: IDOR vulnerability in the order processing feature in ecommerce component (OFBIZ-11836)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch release17.12 updated: Fixed: IDOR vulnerability in the order processing feature in ecommerce component (OFBIZ-11836)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release17.12 by this push:
     new 8120f75  Fixed: IDOR vulnerability in the order processing feature in ecommerce component (OFBIZ-11836)
8120f75 is described below

commit 8120f75b21186978bc87fafdc9f0b80e2ee500dc
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Fri Jun 26 09:28:49 2020 +0200

    Fixed: IDOR vulnerability in the order processing feature in ecommerce component (OFBIZ-11836)
   
    https://demo-stable.ofbiz.apache.org/ecommerce/control/order.pdf?orderId=WSCO10000
   
    In the above URL, the parameter 'orderId' has the value 'WSCO10000' and after
    incrementing the value to 'WSCO10001' or 'WSCO10002' will download the receipt
    of other orders which have been placed by other users.
   
    All the available order receipts can be downloaded by running an automated tool
    (Burp Intruder) on the parameter 'orderId=WSCOXXXXX'
   
    I have successfully tested this by using 2 different accounts: DemoCustomer and
    DemoCustomer2
   
    An attacker can download order receipts of other users and this could lead to
    information disclosure.
   
    The only real solution to this issue is to implement access control. The user
    needs to be authorized for the requested information before the server provides
    it.
   
    Thanks: Harshit Shukla [mailto:[hidden email]]reported this IDOR
    vulnerability to the OFBiz security team, and we thank him for that.
---
 .../groovyScripts/order/OrderViewWebSecure.groovy  |  22 +++++
 .../order/widget/ordermgr/OrderPrintScreens.xml    | 103 ++++++++++++---------
 2 files changed, 82 insertions(+), 43 deletions(-)

diff --git a/applications/order/groovyScripts/order/OrderViewWebSecure.groovy b/applications/order/groovyScripts/order/OrderViewWebSecure.groovy
index fd38170..c5bdd5b 100644
--- a/applications/order/groovyScripts/order/OrderViewWebSecure.groovy
+++ b/applications/order/groovyScripts/order/OrderViewWebSecure.groovy
@@ -21,6 +21,9 @@ import org.apache.ofbiz.order.order.OrderContentWrapper
 
 orderHeader = context.orderHeader
 
+// can anybody view an anonymous order?  this is set in the screen widget and should only be turned on by an email confirmation screen
+allowAnonymousView = context.allowAnonymousView
+
 // if orderHeader is null in OrderView.groovy then it is not null but void here!
 if (orderHeader) {
     // set hasPermission, must always exist if the orderHeader != null
@@ -44,9 +47,28 @@ if (orderHeader) {
             hasPermission = true
         }
     }
+    // This is related with OFBIZ-11836 "IDOR vulnerability in the order processing feature"
+    if (parameters.localDispatcherName.equals("ecommerce")) {
+        List errMsgList = []
+        if (orderHeader.createdBy.equals(person.partyId)
+        || ("anonymous".equals(orderHeader.createdBy) && "Y".equals(allowAnonymousView))) {
+            hasPermission = true
+            canViewInternalDetails = true
+        } else {
+            hasPermission = false
+            canViewInternalDetails = false
+            errMsgList.add("It's not an error : you are not allowed to view this!")
+            showErrorMsg = "Y"
+        }
+         request.setAttribute("_ERROR_MESSAGE_LIST_", errMsgList)
+         context.showErrorMsg = showErrorMsg
+    }
+
     context.hasPermission = hasPermission
     context.canViewInternalDetails = canViewInternalDetails
 
     orderContentWrapper = OrderContentWrapper.makeOrderContentWrapper(orderHeader, request)
     context.orderContentWrapper = orderContentWrapper
+    
+
 }
diff --git a/applications/order/widget/ordermgr/OrderPrintScreens.xml b/applications/order/widget/ordermgr/OrderPrintScreens.xml
index 367eeba..079c812 100644
--- a/applications/order/widget/ordermgr/OrderPrintScreens.xml
+++ b/applications/order/widget/ordermgr/OrderPrintScreens.xml
@@ -27,55 +27,72 @@ under the License.
     <screen name="OrderPDF">
         <section>
             <actions>
-                <set field="titleProperty" value="OrderOrder"/>
-                <property-map resource="OrderUiLabels" map-name="uiLabelMap" global="true"/>
-                <property-map resource="AccountingUiLabels" map-name="uiLabelMap" global="true"/>
-                <property-map resource="ProductUiLabels" map-name="uiLabelMap" global="true"/>
+                <set field="titleProperty" value="OrderOrder" />
+                <property-map resource="OrderUiLabels" map-name="uiLabelMap" global="true" />
+                <property-map resource="AccountingUiLabels" map-name="uiLabelMap" global="true" />
+                <property-map resource="ProductUiLabels" map-name="uiLabelMap" global="true" />
 
-                <script location="component://order/groovyScripts/order/OrderView.groovy"/>
+                <script location="component://order/groovyScripts/order/OrderView.groovy" />
+                <script location="component://order/groovyScripts/order/OrderViewWebSecure.groovy" />
             </actions>
             <widgets>
-                <decorator-screen name="FoReportDecorator" location="component://common/widget/CommonScreens.xml">
-                    <!-- at the top left of every page we put the logo and company information -->
-                    <decorator-section name="topLeft">
-                        <section>
-                            <widgets>
-                                <include-screen name="CompanyLogo" location="component://order/widget/ordermgr/OrderPrintScreens.xml"/>
-                            </widgets>
-                        </section>
-                    </decorator-section>
-                    <!-- at the top right of every page we put the order information -->
-                    <decorator-section name="topRight">
-                        <section>
-                            <widgets>
-                                <platform-specific>
-                                    <xsl-fo><html-template location="component://order/template/order/OrderReportHeaderInfo.fo.ftl"/></xsl-fo>
-                                </platform-specific>
-                            </widgets>
-                        </section>
-                    </decorator-section>
-                    <decorator-section name="body">
-                        <section>
-                            <widgets>
-                                <!-- the contach mechanisms, terms, payment and shipping methods are shown in the first page -->
-                                <platform-specific>
-                                    <xsl-fo><html-template location="component://order/template/order/OrderReportContactMechs.fo.ftl"/></xsl-fo>
-                                </platform-specific>
-                                <!-- order items and totals -->
-                                <platform-specific>
-                                    <xsl-fo><html-template location="component://order/template/order/OrderReportBody.fo.ftl"/></xsl-fo>
-                                </platform-specific>
-                                <!-- return policies and notes are shown in the last page -->
-                                <platform-specific>
-                                    <xsl-fo><html-template location="component://order/template/order/OrderReportConditions.fo.ftl"/></xsl-fo>
-                                </platform-specific>
-                            </widgets>
-                        </section>
-                    </decorator-section>
-                </decorator-screen>
+                <section>
+                    <condition>
+                        <if-compare operator="equals" value="true" field="hasPermission" />
+                    </condition>
+                    <widgets>
+                        <decorator-screen name="FoReportDecorator" location="component://common/widget/CommonScreens.xml">
+                            <!-- at the top left of every page we put the logo and company information -->
+                            <decorator-section name="topLeft">
+                                <section>
+                                    <widgets>
+                                        <include-screen name="CompanyLogo" location="component://order/widget/ordermgr/OrderPrintScreens.xml" />
+                                    </widgets>
+                                </section>
+                            </decorator-section>
+                            <!-- at the top right of every page we put the order information -->
+                            <decorator-section name="topRight">
+                                <section>
+                                    <widgets>
+                                        <platform-specific>
+                                            <xsl-fo>
+                                                <html-template location="component://order/template/order/OrderReportHeaderInfo.fo.ftl" />
+                                            </xsl-fo>
+                                        </platform-specific>
+                                    </widgets>
+                                </section>
+                            </decorator-section>
+                            <decorator-section name="body">
+                                <section>
+                                    <widgets>
+                                        <!-- the contach mechanisms, terms, payment and shipping methods are shown in the first page -->
+                                        <platform-specific>
+                                            <xsl-fo>
+                                                <html-template location="component://order/template/order/OrderReportContactMechs.fo.ftl" />
+                                            </xsl-fo>
+                                        </platform-specific>
+                                        <!-- order items and totals -->
+                                        <platform-specific>
+                                            <xsl-fo>
+                                                <html-template location="component://order/template/order/OrderReportBody.fo.ftl" />
+                                            </xsl-fo>
+                                        </platform-specific>
+                                        <!-- return policies and notes are shown in the last page -->
+                                        <platform-specific>
+                                            <xsl-fo>
+                                                <html-template location="component://order/template/order/OrderReportConditions.fo.ftl" />
+                                            </xsl-fo>
+                                        </platform-specific>
+                                    </widgets>
+                                </section>
+                            </decorator-section>
+                        </decorator-screen>
+                    </widgets>
+                </section>
             </widgets>
         </section>
     </screen>
+    
     <screen name="CompanyLogo">
         <section>
             <actions>