[
https://issues.apache.org/jira/browse/OFBIZ-6207?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Forrest Rae updated OFBIZ-6207:
-------------------------------
Description:
This is a security bug in the ecommerce application. Anyone can view any quote
or request in the system regardless of the associated partyId. They can do
this via URL parameter manipulation.
Reproduction:
1) Login to the ecommerce application as DemoCustomer.
2) Navigate to
http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9000
to view your own request.
3) Navigate to
http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9001
to view DemoCustAgent's request.
4) Navigate to
http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9002
to view DemoCustomer2's request.
Same goes for Quotes, although there are no quotes in the Demo data. The
attach patch fixes this issue.
Would like this issue back ported to release 13.07 please.
was:
This is a security bug in the ecommerce application. Anyone can view any quote
or request in the system regardless of the associated partyId. They can do
this via URL parameter manipulation.
Reproduction:
1) Login to the ecommerce application as DemoCustomer.
2) Navigate to
http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9000
to view your own request.
3) Navigate to
http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9001
to view DemoCustAgent's request.
4) Navigate to
http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9002
to view DemoCustomer2's request.
Same goes for Quotes, although there are no quotes in the Demo data. The
attach patch fixes this issue.
> Anyone can view any Request or Quote
> ------------------------------------
>
> Key: OFBIZ-6207
> URL: https://issues.apache.org/jira/browse/OFBIZ-6207
> Project: OFBiz
> Issue Type: Bug
> Components: specialpurpose/ecommerce
> Affects Versions: Trunk
> Reporter: Forrest Rae
> Priority: Critical
> Labels: security
> Attachments: OFBIZ-6207.patch
>
>
> This is a security bug in the ecommerce application. Anyone can view any
> quote or request in the system regardless of the associated partyId. They
> can do this via URL parameter manipulation.
> Reproduction:
> 1) Login to the ecommerce application as DemoCustomer.
> 2) Navigate to
> http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9000
> to view your own request.
> 3) Navigate to
> http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9001
> to view DemoCustAgent's request.
> 4) Navigate to
> http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9002
> to view DemoCustomer2's request.
> Same goes for Quotes, although there are no quotes in the Demo data. The
> attach patch fixes this issue.
> Would like this issue back ported to release 13.07 please.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
