Forrest Rae created OFBIZ-6207:
----------------------------------
Summary: Anyone can view any Request or Quote
Key: OFBIZ-6207
URL: https://issues.apache.org/jira/browse/OFBIZ-6207
Project: OFBiz
Issue Type: Bug
Components: specialpurpose/ecommerce
Affects Versions: Trunk
Reporter: Forrest Rae
Priority: Critical
Attachments: OFBIZ-6207.patch
This is a security bug in the ecommerce application. Anyone can view any quote
or request in the system regardless of the associated partyId. They can do
this via URL parameter manipulation.
Reproduction:
1) Login to the ecommerce application as DemoCustomer.
2) Navigate to
http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9000
to view your own request.
3) Navigate to
http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9001
to view DemoCustAgent's request.
4) Navigate to
http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9002
to view DemoCustomer2's request.
Same goes for Quotes, although there are no quotes in the Demo data. The
attach patch fixes this issue.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
