You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Jacopo Cappellato (JIRA)" <ji...@apache.org> on 2007/02/04 12:01:06 UTC
[jira] Resolved: (OFBIZ-672) Changing order # in URL allows orders
made by other users to be viewed...
[ https://issues.apache.org/jira/browse/OFBIZ-672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacopo Cappellato resolved OFBIZ-672.
-------------------------------------
Resolution: Fixed
> Changing order # in URL allows orders made by other users to be viewed...
> -------------------------------------------------------------------------
>
> Key: OFBIZ-672
> URL: https://issues.apache.org/jira/browse/OFBIZ-672
> Project: OFBiz (The Open for Business Project)
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Rohit Sureka
> Priority: Critical
>
> If you login to the ecommerce area of ofbiz and view an order using the URL https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can view any order made by other users by changing the order number in the URL for eg. https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will show the order #10550 and complete details such address, last digits of credit card etc, even if the order was placed by another user.
> I believe this is a very serious security issue as well, hence i have given the highest priority ratings to this issue.
> Rohit
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.