You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Deepak Dixit (JIRA)" <ji...@apache.org> on 2015/04/11 12:02:12 UTC
[jira] [Commented] (OFBIZ-6207) Anyone can view any Request or
Quote
[ https://issues.apache.org/jira/browse/OFBIZ-6207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14490897#comment-14490897 ]
Deepak Dixit commented on OFBIZ-6207:
-------------------------------------
Hi Forrest Raae,
You can pass in parameters as context-map.
Here is exa
<if-service-permission service-name="workEffortICalendarPermission" main-action="CREATE" context-map="parameters"/>
> Anyone can view any Request or Quote
> ------------------------------------
>
> Key: OFBIZ-6207
> URL: https://issues.apache.org/jira/browse/OFBIZ-6207
> Project: OFBiz
> Issue Type: Bug
> Components: specialpurpose/ecommerce
> Affects Versions: Trunk, 13.07.01
> Reporter: Forrest Rae
> Assignee: Deepak Dixit
> Priority: Critical
> Labels: security
> Attachments: OFBIZ-6207-fourth-attempt.patch
>
>
> This is a security bug in the ecommerce application. Anyone can view any quote or request in the system regardless of the associated partyId. They can do this via URL parameter manipulation.
> Reproduction:
> 1) Login to the ecommerce application as DemoCustomer.
> 2) Navigate to http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9000 to view your own request.
> 3) Navigate to http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9001 to view DemoCustAgent's request.
> 4) Navigate to http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9002 to view DemoCustomer2's request.
> Same goes for Quotes, although there are no quotes in the Demo data. The attach patch fixes this issue.
> Would like this issue back ported to release 13.07 please.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)