[OFBIZ-6207] Anyone can view any Request or Quote - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 13.07.01, Trunk
Fix Version/s: 14.12.01, 13.07.02, 16.11.01
Component/s: ecommerce
Labels:
- security

Description

This is a security bug in the ecommerce application. Anyone can view any quote or request in the system regardless of the associated partyId. They can do this via URL parameter manipulation.

Reproduction:
1) Login to the ecommerce application as DemoCustomer.
2) Navigate to http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9000 to view your own request.
3) Navigate to http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9001 to view DemoCustAgent's request.
4) Navigate to http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9002 to view DemoCustomer2's request.

Same goes for Quotes, although there are no quotes in the Demo data. The attach patch fixes this issue.

Would like this issue back ported to release 13.07 please.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

OFBIZ-6207-fourth-attempt.patch
25/Mar/15 21:28
7 kB
Forrest Rae

Activity

People

Assignee:: Deepak Dixit

Reporter:: Forrest Rae

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 24/Mar/15 23:29

Updated:: 05/May/15 19:53

Resolved:: 05/May/15 10:35