> My testing did find problem with hidden paymentMethodId field that I
> am describing below. In addition, there are 240 other ftl files that
> contain hidden fields and may pose security risk although I have not
> looked at anyone else.
>
> File: applications/ecommerce/webapp/ecommerce/customer/editcreditcard.ftl
>
> Statement: <input type="hidden" name="paymentMethodId"
> value="${paymentMethodId}">
>
> Theory:
>
> A hacked form may change the paymentMethodId and modify data that the
> user does not have authorization for
>
> Method:
>
>    1. Ecommerce application, signed up as “firstuser” and added a
>       credit card. Its paymentMethodId came out to be 10000.
>    2. Logged out and signed up as “seconduser” and added a credit
>       card. Its paymentMethodId came out to be 10001.
>    3. Logged in as seconduser, clicked on update credit card. Saved
>       the html page locally.
>    4. Edited the saved html page
>          1. Changed paymentMethodId from 10001 to 10000.
>          2. Added http://localhost:8443 <http://localhost:8443/> to
>             the action url.
>    5. Expected result: firstuser and seconduser each has one credit card.
>    6. Actual result: firstuser had no card and the second user had 2
>       cards as seen on the profile page.
>
> Conclusion:
>
> A user is able to modify data that he is not authorized for.
>
> I would like to know if you can reproduce it. I can add it to Jira if
> needed.
>
> Regards,
>
> Vinay Agarwal
>
>------------------------------------------------------------------------
>
>
>_______________________________________________
>Users mailing list
>[hidden email]
>http://lists.ofbiz.org/mailman/listinfo/users
>