[jira] [Updated] (OFBIZ-11836) IDOR vulnerability in the order processing feature in ecommerce component (CVE-2020-13923)

Wed, 15 Jul 2020 23:59:14 -0700 


     [ 
https://issues.apache.org/jira/browse/OFBIZ-11836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11836:
------------------------------------
    Summary: IDOR vulnerability in the order processing feature in ecommerce 
component (CVE-2020-13923)  (was: IDOR vulnerability in the order processing 
feature in ecommerce component)

> IDOR vulnerability in the order processing feature in ecommerce component 
> (CVE-2020-13923)
> ------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-11836
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11836
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ecommerce, order
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 18.12.01, 17.12.04
>
>
> Harshit Shukla 
> [harshit.sh...@gmail.com|mailto:harshit.sh...@gmail.com]reported this IDOR 
> vulnerability to the OFBiz security team, and we thank him for that.
> Here is Harshit's message slightly edited:
> {quote}[https://demo-stable.ofbiz.apache.org/ecommerce/control/order.pdf?orderId=WSCO10000]
> In the above URL, the parameter 'orderId' has the value 'WSCO10000' and after 
> incrementing the value to 'WSCO10001' or 'WSCO10002' will download the 
> receipt of other orders which have been placed by other users.
> All the available order receipts can be downloaded by running an automated 
> tool (Burp Intruder) on the parameter 'orderId=WSCOXXXXX'
> I have successfully tested this by using 2 different accounts: DemoCustomer 
> and DemoCustomer2 ([~jleroux] edited)
> An attacker can download order receipts of other users and this could lead to 
> information disclosure.
> The only real solution to this issue is to implement access control. The user 
> needs to be authorized for the requested information before the server 
> provides it.
> Reference:[https://blog.detectify.com/2016/05/25/owasp-top-10-insecure-direct-object-reference-4/]
> {quote}
> Only ecommerce is affected because we have secure permissions in backorder 
> components (ERP)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to