My testing did find problem with hidden paymentMethodId field that I am describing below. In addition, there are 240 other ftl files that contain hidden fields and may pose security risk although I have not looked at anyone else.

File:                  applications/ecommerce/webapp/ecommerce/customer/editcreditcard.ftl

Statement:        <input type="hidden" name="paymentMethodId" value="${paymentMethodId}">

Theory:

A hacked form may change the paymentMethodId and modify data that the user does not have authorization for

Method:

1. Ecommerce application, signed up as “firstuser” and added a credit card. Its paymentMethodId came out to be 10000.
2. Logged out and signed up as “seconduser” and added a credit card. Its paymentMethodId came out to be 10001.
3. Logged in as seconduser, clicked on update credit card. Saved the html page locally.
4. Edited the saved html page
1. Changed paymentMethodId from 10001 to 10000.
2. Added http://localhost:8443 to the action url.
5. Expected result: firstuser and seconduser each has one credit card.
6. Actual result: firstuser had no card and the second user had 2 cards as seen on the profile page.

Conclusion:

A user is able to modify data that he is not authorized for.

I would like to know if you can reproduce it. I can add it to Jira if needed.

Regards,

Vinay Agarwal