[OFBIZ-11836] IDOR vulnerability in the order processing feature in ecommerce component (CVE-2020-13923) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: Trunk
Fix Version/s: 17.12.04, 18.12.01
Component/s: ecommerce, order
Labels:
None

Sprint:
Bug Crush Event - 21/2/2015

Description

Harshit Shukla harshit.shukz@gmail.comreported this IDOR vulnerability to the OFBiz security team, and we thank him for that.

Here is Harshit's message slightly edited:

https://demo-stable.ofbiz.apache.org/ecommerce/control/order.pdf?orderId=WSCO10000

In the above URL, the parameter 'orderId' has the value 'WSCO10000' and after incrementing the value to 'WSCO10001' or 'WSCO10002' will download the receipt of other orders which have been placed by other users.

All the available order receipts can be downloaded by running an automated tool (Burp Intruder) on the parameter 'orderId=WSCOXXXXX'

I have successfully tested this by using 2 different accounts: DemoCustomer and DemoCustomer2 (jleroux edited)

An attacker can download order receipts of other users and this could lead to information disclosure.

The only real solution to this issue is to implement access control. The user needs to be authorized for the requested information before the server provides it.

Reference:https://blog.detectify.com/2016/05/25/owasp-top-10-insecure-direct-object-reference-4/

Only ecommerce is affected because we have secure permissions in backorder components (ERP)

Attachments

Issue Links

breaks

OFBIZ-11842 Failed to load PDF document after 'Quick checkout'

Closed

Activity

People

Assignee:: Jacques Le Roux

Reporter:: Jacques Le Roux

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 18/Jun/20 13:18

Updated:: 16/Jul/20 06:58

Resolved:: 26/Jun/20 07:37