You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2020/06/26 07:32:40 UTC
[ofbiz-framework] branch trunk updated: Fixed: IDOR vulnerability
in the order processing feature in ecommerce component (OFBIZ-11836)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 4f841e9 Fixed: IDOR vulnerability in the order processing feature in ecommerce component (OFBIZ-11836)
4f841e9 is described below
commit 4f841e9897569bd49d83a94d8d0f2deef9a6fa7a
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Fri Jun 26 09:28:49 2020 +0200
Fixed: IDOR vulnerability in the order processing feature in ecommerce component (OFBIZ-11836)
https://demo-stable.ofbiz.apache.org/ecommerce/control/order.pdf?orderId=WSCO10000
In the above URL, the parameter 'orderId' has the value 'WSCO10000' and after
incrementing the value to 'WSCO10001' or 'WSCO10002' will download the receipt
of other orders which have been placed by other users.
All the available order receipts can be downloaded by running an automated tool
(Burp Intruder) on the parameter 'orderId=WSCOXXXXX'
I have successfully tested this by using 2 different accounts: DemoCustomer and
DemoCustomer2
An attacker can download order receipts of other users and this could lead to
information disclosure.
The only real solution to this issue is to implement access control. The user
needs to be authorized for the requested information before the server provides
it.
Thanks: Harshit Shukla [mailto:harshit.shukz@gmail.com]reported this IDOR
vulnerability to the OFBiz security team, and we thank him for that.
---
.../groovyScripts/order/OrderViewWebSecure.groovy | 22 +++++
.../order/widget/ordermgr/OrderPrintScreens.xml | 103 ++++++++++++---------
2 files changed, 82 insertions(+), 43 deletions(-)
diff --git a/applications/order/groovyScripts/order/OrderViewWebSecure.groovy b/applications/order/groovyScripts/order/OrderViewWebSecure.groovy
index fd38170..c5bdd5b 100644
--- a/applications/order/groovyScripts/order/OrderViewWebSecure.groovy
+++ b/applications/order/groovyScripts/order/OrderViewWebSecure.groovy
@@ -21,6 +21,9 @@ import org.apache.ofbiz.order.order.OrderContentWrapper
orderHeader = context.orderHeader
+// can anybody view an anonymous order? this is set in the screen widget and should only be turned on by an email confirmation screen
+allowAnonymousView = context.allowAnonymousView
+
// if orderHeader is null in OrderView.groovy then it is not null but void here!
if (orderHeader) {
// set hasPermission, must always exist if the orderHeader != null
@@ -44,9 +47,28 @@ if (orderHeader) {
hasPermission = true
}
}
+ // This is related with OFBIZ-11836 "IDOR vulnerability in the order processing feature"
+ if (parameters.localDispatcherName.equals("ecommerce")) {
+ List errMsgList = []
+ if (orderHeader.createdBy.equals(person.partyId)
+ || ("anonymous".equals(orderHeader.createdBy) && "Y".equals(allowAnonymousView))) {
+ hasPermission = true
+ canViewInternalDetails = true
+ } else {
+ hasPermission = false
+ canViewInternalDetails = false
+ errMsgList.add("It's not an error : you are not allowed to view this!")
+ showErrorMsg = "Y"
+ }
+ request.setAttribute("_ERROR_MESSAGE_LIST_", errMsgList)
+ context.showErrorMsg = showErrorMsg
+ }
+
context.hasPermission = hasPermission
context.canViewInternalDetails = canViewInternalDetails
orderContentWrapper = OrderContentWrapper.makeOrderContentWrapper(orderHeader, request)
context.orderContentWrapper = orderContentWrapper
+
+
}
diff --git a/applications/order/widget/ordermgr/OrderPrintScreens.xml b/applications/order/widget/ordermgr/OrderPrintScreens.xml
index 367eeba..079c812 100644
--- a/applications/order/widget/ordermgr/OrderPrintScreens.xml
+++ b/applications/order/widget/ordermgr/OrderPrintScreens.xml
@@ -27,55 +27,72 @@ under the License.
<screen name="OrderPDF">
<section>
<actions>
- <set field="titleProperty" value="OrderOrder"/>
- <property-map resource="OrderUiLabels" map-name="uiLabelMap" global="true"/>
- <property-map resource="AccountingUiLabels" map-name="uiLabelMap" global="true"/>
- <property-map resource="ProductUiLabels" map-name="uiLabelMap" global="true"/>
+ <set field="titleProperty" value="OrderOrder" />
+ <property-map resource="OrderUiLabels" map-name="uiLabelMap" global="true" />
+ <property-map resource="AccountingUiLabels" map-name="uiLabelMap" global="true" />
+ <property-map resource="ProductUiLabels" map-name="uiLabelMap" global="true" />
- <script location="component://order/groovyScripts/order/OrderView.groovy"/>
+ <script location="component://order/groovyScripts/order/OrderView.groovy" />
+ <script location="component://order/groovyScripts/order/OrderViewWebSecure.groovy" />
</actions>
<widgets>
- <decorator-screen name="FoReportDecorator" location="component://common/widget/CommonScreens.xml">
- <!-- at the top left of every page we put the logo and company information -->
- <decorator-section name="topLeft">
- <section>
- <widgets>
- <include-screen name="CompanyLogo" location="component://order/widget/ordermgr/OrderPrintScreens.xml"/>
- </widgets>
- </section>
- </decorator-section>
- <!-- at the top right of every page we put the order information -->
- <decorator-section name="topRight">
- <section>
- <widgets>
- <platform-specific>
- <xsl-fo><html-template location="component://order/template/order/OrderReportHeaderInfo.fo.ftl"/></xsl-fo>
- </platform-specific>
- </widgets>
- </section>
- </decorator-section>
- <decorator-section name="body">
- <section>
- <widgets>
- <!-- the contach mechanisms, terms, payment and shipping methods are shown in the first page -->
- <platform-specific>
- <xsl-fo><html-template location="component://order/template/order/OrderReportContactMechs.fo.ftl"/></xsl-fo>
- </platform-specific>
- <!-- order items and totals -->
- <platform-specific>
- <xsl-fo><html-template location="component://order/template/order/OrderReportBody.fo.ftl"/></xsl-fo>
- </platform-specific>
- <!-- return policies and notes are shown in the last page -->
- <platform-specific>
- <xsl-fo><html-template location="component://order/template/order/OrderReportConditions.fo.ftl"/></xsl-fo>
- </platform-specific>
- </widgets>
- </section>
- </decorator-section>
- </decorator-screen>
+ <section>
+ <condition>
+ <if-compare operator="equals" value="true" field="hasPermission" />
+ </condition>
+ <widgets>
+ <decorator-screen name="FoReportDecorator" location="component://common/widget/CommonScreens.xml">
+ <!-- at the top left of every page we put the logo and company information -->
+ <decorator-section name="topLeft">
+ <section>
+ <widgets>
+ <include-screen name="CompanyLogo" location="component://order/widget/ordermgr/OrderPrintScreens.xml" />
+ </widgets>
+ </section>
+ </decorator-section>
+ <!-- at the top right of every page we put the order information -->
+ <decorator-section name="topRight">
+ <section>
+ <widgets>
+ <platform-specific>
+ <xsl-fo>
+ <html-template location="component://order/template/order/OrderReportHeaderInfo.fo.ftl" />
+ </xsl-fo>
+ </platform-specific>
+ </widgets>
+ </section>
+ </decorator-section>
+ <decorator-section name="body">
+ <section>
+ <widgets>
+ <!-- the contach mechanisms, terms, payment and shipping methods are shown in the first page -->
+ <platform-specific>
+ <xsl-fo>
+ <html-template location="component://order/template/order/OrderReportContactMechs.fo.ftl" />
+ </xsl-fo>
+ </platform-specific>
+ <!-- order items and totals -->
+ <platform-specific>
+ <xsl-fo>
+ <html-template location="component://order/template/order/OrderReportBody.fo.ftl" />
+ </xsl-fo>
+ </platform-specific>
+ <!-- return policies and notes are shown in the last page -->
+ <platform-specific>
+ <xsl-fo>
+ <html-template location="component://order/template/order/OrderReportConditions.fo.ftl" />
+ </xsl-fo>
+ </platform-specific>
+ </widgets>
+ </section>
+ </decorator-section>
+ </decorator-screen>
+ </widgets>
+ </section>
</widgets>
</section>
</screen>
+
<screen name="CompanyLogo">
<section>
<actions>