[ https://issues.apache.org/jira/browse/OFBIZ-6207?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Forrest Rae updated OFBIZ-6207: ------------------------------- Affects Version/s: 13.07.01 > Anyone can view any Request or Quote > ------------------------------------ > > Key: OFBIZ-6207 > URL: https://issues.apache.org/jira/browse/OFBIZ-6207 > Project: OFBiz > Issue Type: Bug > Components: specialpurpose/ecommerce > Affects Versions: Trunk, 13.07.01 > Reporter: Forrest Rae > Priority: Critical > Labels: security > Attachments: OFBIZ-6207.patch > > > This is a security bug in the ecommerce application. Anyone can view any > quote or request in the system regardless of the associated partyId. They > can do this via URL parameter manipulation. > Reproduction: > 1) Login to the ecommerce application as DemoCustomer. > 2) Navigate to > http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9000 > to view your own request. > 3) Navigate to > http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9001 > to view DemoCustAgent's request. > 4) Navigate to > http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9002 > to view DemoCustomer2's request. > Same goes for Quotes, although there are no quotes in the Demo data. The > attach patch fixes this issue. > Would like this issue back ported to release 13.07 please. -- This message was sent by Atlassian JIRA (v6.3.4#6332)