Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-6207

Anyone can view any Request or Quote

    Details

      Description

      This is a security bug in the ecommerce application. Anyone can view any quote or request in the system regardless of the associated partyId. They can do this via URL parameter manipulation.

      Reproduction:
      1) Login to the ecommerce application as DemoCustomer.
      2) Navigate to http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9000 to view your own request.
      3) Navigate to http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9001 to view DemoCustAgent's request.
      4) Navigate to http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9002 to view DemoCustomer2's request.

      Same goes for Quotes, although there are no quotes in the Demo data. The attach patch fixes this issue.

      Would like this issue back ported to release 13.07 please.

        Attachments

          Activity

            People

            • Assignee:
              deepak.dixit Deepak Dixit
              Reporter:
              fbr@14x.net Forrest Rae
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: