[ https://issues.apache.org/jira/browse/OFBIZ-11836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux updated OFBIZ-11836: ------------------------------------ Summary: IDOR vulnerability in the order processing feature in ecommerce component (CVE-2020-13923) (was: IDOR vulnerability in the order processing feature in ecommerce component) > IDOR vulnerability in the order processing feature in ecommerce component > (CVE-2020-13923) > ------------------------------------------------------------------------------------------ > > Key: OFBIZ-11836 > URL: https://issues.apache.org/jira/browse/OFBIZ-11836 > Project: OFBiz > Issue Type: Sub-task > Components: ecommerce, order > Affects Versions: Trunk > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Major > Fix For: 18.12.01, 17.12.04 > > > Harshit Shukla > [harshit.sh...@gmail.com|mailto:harshit.sh...@gmail.com]reported this IDOR > vulnerability to the OFBiz security team, and we thank him for that. > Here is Harshit's message slightly edited: > {quote}[https://demo-stable.ofbiz.apache.org/ecommerce/control/order.pdf?orderId=WSCO10000] > In the above URL, the parameter 'orderId' has the value 'WSCO10000' and after > incrementing the value to 'WSCO10001' or 'WSCO10002' will download the > receipt of other orders which have been placed by other users. > All the available order receipts can be downloaded by running an automated > tool (Burp Intruder) on the parameter 'orderId=WSCOXXXXX' > I have successfully tested this by using 2 different accounts: DemoCustomer > and DemoCustomer2 ([~jleroux] edited) > An attacker can download order receipts of other users and this could lead to > information disclosure. > The only real solution to this issue is to implement access control. The user > needs to be authorized for the requested information before the server > provides it. > Reference:[https://blog.detectify.com/2016/05/25/owasp-top-10-insecure-direct-object-reference-4/] > {quote} > Only ecommerce is affected because we have secure permissions in backorder > components (ERP) -- This message was sent by Atlassian Jira (v8.3.4#803005)