OFBiz › OFBiz - Commits

[ofbiz-framework] branch release17.12 updated: Fixed: IDOR vulnerability in the order processing feature in ecommerce component (OFBIZ-11836)

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jleroux@apache.org

[ofbiz-framework] branch release17.12 updated: Fixed: IDOR vulnerability in the order processing feature in ecommerce component (OFBIZ-11836)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

The following commit(s) were added to refs/heads/release17.12 by this push:
new 8120f75 Fixed: IDOR vulnerability in the order processing feature in ecommerce component (OFBIZ-11836)
8120f75 is described below

commit 8120f75b21186978bc87fafdc9f0b80e2ee500dc
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Fri Jun 26 09:28:49 2020 +0200

Fixed: IDOR vulnerability in the order processing feature in ecommerce component (OFBIZ-11836)

https://demo-stable.ofbiz.apache.org/ecommerce/control/order.pdf?orderId=WSCO10000

In the above URL, the parameter 'orderId' has the value 'WSCO10000' and after
incrementing the value to 'WSCO10001' or 'WSCO10002' will download the receipt
of other orders which have been placed by other users.

All the available order receipts can be downloaded by running an automated tool
(Burp Intruder) on the parameter 'orderId=WSCOXXXXX'

I have successfully tested this by using 2 different accounts: DemoCustomer and
DemoCustomer2

An attacker can download order receipts of other users and this could lead to
information disclosure.

The only real solution to this issue is to implement access control. The user
needs to be authorized for the requested information before the server provides
it.

Thanks: Harshit Shukla [mailto:[hidden email]]reported this IDOR
vulnerability to the OFBiz security team, and we thank him for that.
---
.../groovyScripts/order/OrderViewWebSecure.groovy | 22 +++++
.../order/widget/ordermgr/OrderPrintScreens.xml | 103 ++++++++++++---------
2 files changed, 82 insertions(+), 43 deletions(-)

diff --git a/applications/order/groovyScripts/order/OrderViewWebSecure.groovy b/applications/order/groovyScripts/order/OrderViewWebSecure.groovy
index fd38170..c5bdd5b 100644
--- a/applications/order/groovyScripts/order/OrderViewWebSecure.groovy
+++ b/applications/order/groovyScripts/order/OrderViewWebSecure.groovy
@@ -21,6 +21,9 @@ import org.apache.ofbiz.order.order.OrderContentWrapper

orderHeader = context.orderHeader

+// can anybody view an anonymous order? this is set in the screen widget and should only be turned on by an email confirmation screen
+allowAnonymousView = context.allowAnonymousView
+
// if orderHeader is null in OrderView.groovy then it is not null but void here!
if (orderHeader) {
// set hasPermission, must always exist if the orderHeader != null
@@ -44,9 +47,28 @@ if (orderHeader) {
hasPermission = true
}
}
+ // This is related with OFBIZ-11836 "IDOR vulnerability in the order processing feature"
+ if (parameters.localDispatcherName.equals("ecommerce")) {
+ List errMsgList = []
+ if (orderHeader.createdBy.equals(person.partyId)
+ || ("anonymous".equals(orderHeader.createdBy) && "Y".equals(allowAnonymousView))) {
+ hasPermission = true
+ canViewInternalDetails = true
+ } else {
+ hasPermission = false
+ canViewInternalDetails = false
+ errMsgList.add("It's not an error : you are not allowed to view this!")
+ showErrorMsg = "Y"
+ }
+ request.setAttribute("_ERROR_MESSAGE_LIST_", errMsgList)
+ context.showErrorMsg = showErrorMsg
+ }
+
context.hasPermission = hasPermission
context.canViewInternalDetails = canViewInternalDetails

orderContentWrapper = OrderContentWrapper.makeOrderContentWrapper(orderHeader, request)
context.orderContentWrapper = orderContentWrapper
+
+
}
diff --git a/applications/order/widget/ordermgr/OrderPrintScreens.xml b/applications/order/widget/ordermgr/OrderPrintScreens.xml
index 367eeba..079c812 100644
--- a/applications/order/widget/ordermgr/OrderPrintScreens.xml
+++ b/applications/order/widget/ordermgr/OrderPrintScreens.xml
@@ -27,55 +27,72 @@ under the License.
<screen name="OrderPDF">
<section>
<actions>
- <set field="titleProperty" value="OrderOrder"/>
- <property-map resource="OrderUiLabels" map-name="uiLabelMap" global="true"/>
- <property-map resource="AccountingUiLabels" map-name="uiLabelMap" global="true"/>
- <property-map resource="ProductUiLabels" map-name="uiLabelMap" global="true"/>
+ <set field="titleProperty" value="OrderOrder" />
+ <property-map resource="OrderUiLabels" map-name="uiLabelMap" global="true" />
+ <property-map resource="AccountingUiLabels" map-name="uiLabelMap" global="true" />
+ <property-map resource="ProductUiLabels" map-name="uiLabelMap" global="true" />

- <script location="component://order/groovyScripts/order/OrderView.groovy"/>
+ <script location="component://order/groovyScripts/order/OrderView.groovy" />
+ <script location="component://order/groovyScripts/order/OrderViewWebSecure.groovy" />
</actions>
<widgets>
- <decorator-screen name="FoReportDecorator" location="component://common/widget/CommonScreens.xml">
- 
- <decorator-section name="topLeft">
- <section>
- <widgets>
- <include-screen name="CompanyLogo" location="component://order/widget/ordermgr/OrderPrintScreens.xml"/>
- </widgets>
- </section>
- </decorator-section>
- 
- <decorator-section name="topRight">
- <section>
- <widgets>
- <platform-specific>
- <xsl-fo><html-template location="component://order/template/order/OrderReportHeaderInfo.fo.ftl"/></xsl-fo>
- </platform-specific>
- </widgets>
- </section>
- </decorator-section>
- <decorator-section name="body">
- <section>
- <widgets>
- 
- <platform-specific>
- <xsl-fo><html-template location="component://order/template/order/OrderReportContactMechs.fo.ftl"/></xsl-fo>
- </platform-specific>
- 
- <platform-specific>
- <xsl-fo><html-template location="component://order/template/order/OrderReportBody.fo.ftl"/></xsl-fo>
- </platform-specific>
- 
- <platform-specific>
- <xsl-fo><html-template location="component://order/template/order/OrderReportConditions.fo.ftl"/></xsl-fo>
- </platform-specific>
- </widgets>
- </section>
- </decorator-section>
- </decorator-screen>
+ <section>
+ <condition>
+ <if-compare operator="equals" value="true" field="hasPermission" />
+ </condition>
+ <widgets>
+ <decorator-screen name="FoReportDecorator" location="component://common/widget/CommonScreens.xml">
+ 
+ <decorator-section name="topLeft">
+ <section>
+ <widgets>
+ <include-screen name="CompanyLogo" location="component://order/widget/ordermgr/OrderPrintScreens.xml" />
+ </widgets>
+ </section>
+ </decorator-section>
+ 
+ <decorator-section name="topRight">
+ <section>
+ <widgets>
+ <platform-specific>
+ <xsl-fo>
+ <html-template location="component://order/template/order/OrderReportHeaderInfo.fo.ftl" />
+ </xsl-fo>
+ </platform-specific>
+ </widgets>
+ </section>
+ </decorator-section>
+ <decorator-section name="body">
+ <section>
+ <widgets>
+ 
+ <platform-specific>
+ <xsl-fo>
+ <html-template location="component://order/template/order/OrderReportContactMechs.fo.ftl" />
+ </xsl-fo>
+ </platform-specific>
+ 
+ <platform-specific>
+ <xsl-fo>
+ <html-template location="component://order/template/order/OrderReportBody.fo.ftl" />
+ </xsl-fo>
+ </platform-specific>
+ 
+ <platform-specific>
+ <xsl-fo>
+ <html-template location="component://order/template/order/OrderReportConditions.fo.ftl" />
+ </xsl-fo>
+ </platform-specific>
+ </widgets>
+ </section>
+ </decorator-section>
+ </decorator-screen>
+ </widgets>
+ </section>
</widgets>
</section>
</screen>
+
<screen name="CompanyLogo">
<section>
<actions>