You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ofbiz.apache.org by "Jacopo Cappellato (JIRA)" <ji...@apache.org> on 2007/02/04 12:01:06 UTC

[jira] Resolved: (OFBIZ-672) Changing order # in URL allows orders made by other users to be viewed...

     [ https://issues.apache.org/jira/browse/OFBIZ-672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacopo Cappellato resolved OFBIZ-672.
-------------------------------------

    Resolution: Fixed

> Changing order # in URL allows orders made by other users to be viewed...
> -------------------------------------------------------------------------
>
>                 Key: OFBIZ-672
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-672
>             Project: OFBiz (The Open for Business Project)
>          Issue Type: Bug
>          Components: ecommerce
>    Affects Versions: SVN trunk
>            Reporter: Rohit Sureka
>            Priority: Critical
>
> If you login to the ecommerce area of ofbiz and view an order using the URL https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can view any order made by other users by changing the order number in the URL for eg. https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will show the order #10550 and complete details such address, last digits of credit card etc, even if the order was placed by another user. 
> I believe this is a very serious security issue as well, hence i have given the highest priority ratings to this issue. 
> Rohit

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.