[ 
https://issues.apache.org/jira/browse/OFBIZ-6207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14528921#comment-14528921
 ] 

Forrest Rae commented on OFBIZ-6207:
------------------------------------

I've read that and don't see anything about splitting patches into multiple 
files, unless I'm blind (there is always that possibility :P ).  If you'd like 
me to do that, I will.  I'll also update the wiki with instructions once I've 
been through the process.

> Anyone can view any Request or Quote
> ------------------------------------
>
>                 Key: OFBIZ-6207
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6207
>             Project: OFBiz
>          Issue Type: Bug
>          Components: specialpurpose/ecommerce
>    Affects Versions: Trunk, 13.07.01
>            Reporter: Forrest Rae
>            Assignee: Deepak Dixit
>            Priority: Critical
>              Labels: security
>             Fix For: 14.12.01, 13.07.02, Upcoming Branch
>
>         Attachments: OFBIZ-6207-fourth-attempt.patch
>
>
> This is a security bug in the ecommerce application.  Anyone can view any 
> quote or request in the system regardless of the associated partyId.  They 
> can do this via URL parameter manipulation.
> Reproduction:
> 1) Login to the ecommerce application as DemoCustomer.
> 2) Navigate to 
> http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9000
>  to view your own request.
> 3) Navigate to 
> http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9001
>  to view DemoCustAgent's request.
> 4) Navigate to 
> http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9002
>  to view DemoCustomer2's request.
> Same goes for Quotes, although there are no quotes in the Demo data.  The 
> attach patch fixes this issue.
> Would like this issue back ported to release 13.07 please.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to