You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ofbiz.apache.org by rohit2006 <ro...@yahoo.com> on 2007/01/30 18:35:30 UTC
Major security lapse in ofbiz. Changing order # in URL allows other
orders to be viewed...
Hi,
I just noticed a potentially major security loophole in ofbiz. If you login
to the ecommerce area of ofbiz and view an order using the URL
https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can
view any order made by other users by changing the order number in the URL
for eg.
https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will
show the order and complete details such address, last digits of credit card
etc, even if the order was placed by another user.
I hope that somebody checks if its happening to their sites too. I believe
this is a major security lapse in ofbiz and if this error can be replicated
by other users too, we can open a JIRA issue.
I hope somebody verifies the bug very soon.
Thanks
rohit
--
View this message in context: http://www.nabble.com/Major-security-lapse-in-ofbiz.-Changing-order---in-URL-allows-other-orders-to-be-viewed...-tf3143749.html#a8713953
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Major security lapse in ofbiz. Changing order # in URL allows
other orders to be viewed...
Posted by rohit2006 <ro...@yahoo.com>.
"security permission setting to view only
orders created by person/group who created them."
I guess this is normal expectancy from the ecommnerce application. I am sure
nobody wants their orders to be view by other users and get access to their
personal info.
I have not fully digged into, security permission, but basically i am using
the default setup, with minor touches here and there.
Rohit
Walter Vaughan wrote:
>
> rohit2006 wrote:
>
>> I just noticed a potentially major security loophole in ofbiz. If you
>> login
>> to the ecommerce area of ofbiz and view an order using the URL
>> https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you
>> can
>> view any order made by other users by changing the order number in the
>> URL
>> for eg.
>
> Just so I understand the problem, what you are saying is that if you have
> login
> permissions to view orders, you want a security permission setting to view
> only
> orders created by person/group who created them.
>
> Is that what you are asking?
>
> IANAL, but it's more like you are wanting a security group that can only
> see
> orders created by the same party_id as the current login party_id. Is that
> correct?
>
> What security group are you currently using to view these orders?
>
> --
> Walter
>
>
>
>
>
--
View this message in context: http://www.nabble.com/Major-security-lapse-in-ofbiz.-Changing-order---in-URL-allows-other-orders-to-be-viewed...-tf3143749.html#a8723123
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Major security lapse in ofbiz. Changing order # in URL allows
other orders to be viewed...
Posted by Walter Vaughan <wv...@steelerubber.com>.
rohit2006 wrote:
> I just noticed a potentially major security loophole in ofbiz. If you login
> to the ecommerce area of ofbiz and view an order using the URL
> https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can
> view any order made by other users by changing the order number in the URL
> for eg.
Just so I understand the problem, what you are saying is that if you have login
permissions to view orders, you want a security permission setting to view only
orders created by person/group who created them.
Is that what you are asking?
IANAL, but it's more like you are wanting a security group that can only see
orders created by the same party_id as the current login party_id. Is that correct?
What security group are you currently using to view these orders?
--
Walter
Re: Major security lapse in ofbiz. Changing order # in URL allows
other orders to be viewed...
Posted by rohit2006 <ro...@yahoo.com>.
I have created a JIRA issue at
https://issues.apache.org/jira/browse/OFBIZ-672
Rohit
Ray Barlow wrote:
>
> Just tested this on a few versions including official ofbiz demo site
> and it is a bug, so I'd say go ahead and raise a JIRA issue.
>
> Ray
>
> rohit2006 wrote:
>> Hi,
>>
>> I just noticed a potentially major security loophole in ofbiz. If you
>> login
>> to the ecommerce area of ofbiz and view an order using the URL
>> https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you
>> can
>> view any order made by other users by changing the order number in the
>> URL
>> for eg.
>> https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550,
>> will
>> show the order and complete details such address, last digits of credit
>> card
>> etc, even if the order was placed by another user.
>>
>> I hope that somebody checks if its happening to their sites too. I
>> believe
>> this is a major security lapse in ofbiz and if this error can be
>> replicated
>> by other users too, we can open a JIRA issue.
>>
>> I hope somebody verifies the bug very soon.
>>
>> Thanks
>>
>> rohit
>>
>
>
--
View this message in context: http://www.nabble.com/Major-security-lapse-in-ofbiz.-Changing-order---in-URL-allows-other-orders-to-be-viewed...-tf3143749.html#a8715916
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Major security lapse in ofbiz. Changing order # in URL allows
other orders to be viewed...
Posted by Jacques Le Roux <ja...@les7arts.com>.
Yes definitively a bug.
Jacques
----- Original Message -----
From: "Ray Barlow" <ra...@makeyour-point.com>
To: <us...@ofbiz.apache.org>
Sent: Tuesday, January 30, 2007 7:18 PM
Subject: Re: Major security lapse in ofbiz. Changing order # in URL allows other orders to be viewed...
> Just tested this on a few versions including official ofbiz demo site
> and it is a bug, so I'd say go ahead and raise a JIRA issue.
>
> Ray
>
> rohit2006 wrote:
> > Hi,
> >
> > I just noticed a potentially major security loophole in ofbiz. If you login
> > to the ecommerce area of ofbiz and view an order using the URL
> > https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can
> > view any order made by other users by changing the order number in the URL
> > for eg.
> > https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will
> > show the order and complete details such address, last digits of credit card
> > etc, even if the order was placed by another user.
> >
> > I hope that somebody checks if its happening to their sites too. I believe
> > this is a major security lapse in ofbiz and if this error can be replicated
> > by other users too, we can open a JIRA issue.
> >
> > I hope somebody verifies the bug very soon.
> >
> > Thanks
> >
> > rohit
> >
Re: Major security lapse in ofbiz. Changing order # in URL allows
other orders to be viewed...
Posted by Ray Barlow <ra...@makeyour-point.com>.
Just tested this on a few versions including official ofbiz demo site
and it is a bug, so I'd say go ahead and raise a JIRA issue.
Ray
rohit2006 wrote:
> Hi,
>
> I just noticed a potentially major security loophole in ofbiz. If you login
> to the ecommerce area of ofbiz and view an order using the URL
> https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can
> view any order made by other users by changing the order number in the URL
> for eg.
> https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will
> show the order and complete details such address, last digits of credit card
> etc, even if the order was placed by another user.
>
> I hope that somebody checks if its happening to their sites too. I believe
> this is a major security lapse in ofbiz and if this error can be replicated
> by other users too, we can open a JIRA issue.
>
> I hope somebody verifies the bug very soon.
>
> Thanks
>
> rohit
>