[jira] [Updated] (OFBIZ-11836) IDOR vulnerability in the order processing feature in ecommerce component (CVE-2020-13923)
[
https://issues.apache.org/jira/browse/OFBIZ-11836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-11836:
Summary: IDOR vulnerability in the order processing feature in ecommerce
component (CVE-2020-13923) (was: IDOR vulnerability in the order processing
feature in ecommerce component)
> IDOR vulnerability in the order processing feature in ecommerce component
> (CVE-2020-13923)
> --
>
> Key: OFBIZ-11836
> URL: https://issues.apache.org/jira/browse/OFBIZ-11836
> Project: OFBiz
> Issue Type: Sub-task
> Components: ecommerce, order
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Major
> Fix For: 18.12.01, 17.12.04
>
>
> Harshit Shukla
> [harshit.sh...@gmail.com|mailto:harshit.sh...@gmail.com]reported this IDOR
> vulnerability to the OFBiz security team, and we thank him for that.
> Here is Harshit's message slightly edited:
> {quote}[https://demo-stable.ofbiz.apache.org/ecommerce/control/order.pdf?orderId=WSCO1]
> In the above URL, the parameter 'orderId' has the value 'WSCO1' and after
> incrementing the value to 'WSCO10001' or 'WSCO10002' will download the
> receipt of other orders which have been placed by other users.
> All the available order receipts can be downloaded by running an automated
> tool (Burp Intruder) on the parameter 'orderId=WSCOX'
> I have successfully tested this by using 2 different accounts: DemoCustomer
> and DemoCustomer2 ([~jleroux] edited)
> An attacker can download order receipts of other users and this could lead to
> information disclosure.
> The only real solution to this issue is to implement access control. The user
> needs to be authorized for the requested information before the server
> provides it.
> Reference:[https://blog.detectify.com/2016/05/25/owasp-top-10-insecure-direct-object-reference-4/]
> {quote}
> Only ecommerce is affected because we have secure permissions in backorder
> components (ERP)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (OFBIZ-11836) IDOR vulnerability in the order processing feature in ecommerce component
[
https://issues.apache.org/jira/browse/OFBIZ-11836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-11836:
Description:
Harshit Shukla [harshit.sh...@gmail.com|mailto:harshit.sh...@gmail.com]reported
this IDOR vulnerability to the OFBiz security team, and we thank him for that.
Here is Harshit's message slightly edited:
{quote}[https://demo-stable.ofbiz.apache.org/ecommerce/control/order.pdf?orderId=WSCO1]
In the above URL, the parameter 'orderId' has the value 'WSCO1' and after
incrementing the value to 'WSCO10001' or 'WSCO10002' will download the receipt
of other orders which have been placed by other users.
All the available order receipts can be downloaded by running an automated tool
(Burp Intruder) on the parameter 'orderId=WSCOX'
I have successfully tested this by using 2 different accounts: DemoCustomer and
DemoCustomer2 ([~jleroux] edited)
An attacker can download order receipts of other users and this could lead to
information disclosure.
The only real solution to this issue is to implement access control. The user
needs to be authorized for the requested information before the server provides
it.
Reference:[https://blog.detectify.com/2016/05/25/owasp-top-10-insecure-direct-object-reference-4/]
{quote}
Only ecommerce is affected because we have secure permissions in backorder
components (ERP)
was:
Harshit Shukla [mailto:harshit.sh...@gmail.com]reported this IDOR vulnerability
to the OFBiz security team, and we thank him for that.
I'll later quote here his email message when the vulnerability will be fixed.
It's a post-auth vulnerability so we did not ask for a CVE.
Here is Harshit's message slightly edited:
{quote}
https://demo-stable.ofbiz.apache.org/ecommerce/control/order.pdf?orderId=WSCO1
In the above URL, the parameter 'orderId' has the value 'WSCO1' and after
incrementing the value to 'WSCO10001' or 'WSCO10002' will download the receipt
of other orders which have been placed by other users.
All the available order receipts can be downloaded by running an automated tool
(Burp Intruder) on the parameter 'orderId=WSCOX'
I have successfully tested this by using 2 different accounts: DemoCustomer and
DemoCustomer2 ([~jleroux] edited)
An attacker can download order receipts of other users and this could lead to
information disclosure.
The only real solution to this issue is to implement access control. The user
needs to be authorized for the requested information before the server provides
it.
Reference:https://blog.detectify.com/2016/05/25/owasp-top-10-insecure-direct-object-reference-4/
{quote}
Only ecommerce is affected because we have secure permissions in backorder
components (ERP)
> IDOR vulnerability in the order processing feature in ecommerce component
> -
>
> Key: OFBIZ-11836
> URL: https://issues.apache.org/jira/browse/OFBIZ-11836
> Project: OFBiz
> Issue Type: Sub-task
> Components: ecommerce, order
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Major
> Fix For: 18.12.01, 17.12.04
>
>
> Harshit Shukla
> [harshit.sh...@gmail.com|mailto:harshit.sh...@gmail.com]reported this IDOR
> vulnerability to the OFBiz security team, and we thank him for that.
> Here is Harshit's message slightly edited:
> {quote}[https://demo-stable.ofbiz.apache.org/ecommerce/control/order.pdf?orderId=WSCO1]
> In the above URL, the parameter 'orderId' has the value 'WSCO1' and after
> incrementing the value to 'WSCO10001' or 'WSCO10002' will download the
> receipt of other orders which have been placed by other users.
> All the available order receipts can be downloaded by running an automated
> tool (Burp Intruder) on the parameter 'orderId=WSCOX'
> I have successfully tested this by using 2 different accounts: DemoCustomer
> and DemoCustomer2 ([~jleroux] edited)
> An attacker can download order receipts of other users and this could lead to
> information disclosure.
> The only real solution to this issue is to implement access control. The user
> needs to be authorized for the requested information before the server
> provides it.
> Reference:[https://blog.detectify.com/2016/05/25/owasp-top-10-insecure-direct-object-reference-4/]
> {quote}
> Only ecommerce is affected because we have secure permissions in backorder
> components (ERP)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (OFBIZ-11836) IDOR vulnerability in the order processing feature in ecommerce component
[
https://issues.apache.org/jira/browse/OFBIZ-11836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-11836:
Summary: IDOR vulnerability in the order processing feature in ecommerce
component (was: IDOR vulnerability in the order processing feature in
ecommerce component (CVE-2020-13923))
> IDOR vulnerability in the order processing feature in ecommerce component
> -
>
> Key: OFBIZ-11836
> URL: https://issues.apache.org/jira/browse/OFBIZ-11836
> Project: OFBiz
> Issue Type: Sub-task
> Components: ecommerce, order
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Major
> Fix For: 18.12.01, 17.12.04
>
>
> Harshit Shukla [mailto:harshit.sh...@gmail.com]reported this IDOR
> vulnerability to the OFBiz security team, and we thank him for that.
> I'll later quote here his email message when the vulnerability will be fixed.
> It's a post-auth vulnerability so we did not ask for a CVE.
> Here is Harshit's message slightly edited:
> {quote}
> https://demo-stable.ofbiz.apache.org/ecommerce/control/order.pdf?orderId=WSCO1
> In the above URL, the parameter 'orderId' has the value 'WSCO1' and after
> incrementing the value to 'WSCO10001' or 'WSCO10002' will download the
> receipt of other orders which have been placed by other users.
> All the available order receipts can be downloaded by running an automated
> tool (Burp Intruder) on the parameter 'orderId=WSCOX'
> I have successfully tested this by using 2 different accounts: DemoCustomer
> and DemoCustomer2 ([~jleroux] edited)
> An attacker can download order receipts of other users and this could lead to
> information disclosure.
> The only real solution to this issue is to implement access control. The user
> needs to be authorized for the requested information before the server
> provides it.
> Reference:https://blog.detectify.com/2016/05/25/owasp-top-10-insecure-direct-object-reference-4/
> {quote}
> Only ecommerce is affected because we have secure permissions in backorder
> components (ERP)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (OFBIZ-11836) IDOR vulnerability in the order processing feature in ecommerce component (CVE-2020-13923)
[
https://issues.apache.org/jira/browse/OFBIZ-11836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-11836:
Summary: IDOR vulnerability in the order processing feature in ecommerce
component (CVE-2020-13923) (was: IDOR vulnerability in the order processing
feature in ecommerce component)
> IDOR vulnerability in the order processing feature in ecommerce component
> (CVE-2020-13923)
> --
>
> Key: OFBIZ-11836
> URL: https://issues.apache.org/jira/browse/OFBIZ-11836
> Project: OFBiz
> Issue Type: Sub-task
> Components: ecommerce, order
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Major
> Fix For: 18.12.01, 17.12.04
>
>
> Harshit Shukla [mailto:harshit.sh...@gmail.com]reported this IDOR
> vulnerability to the OFBiz security team, and we thank him for that.
> I'll later quote here his email message when the vulnerability will be fixed.
> It's a post-auth vulnerability so we did not ask for a CVE.
> Here is Harshit's message slightly edited:
> {quote}
> https://demo-stable.ofbiz.apache.org/ecommerce/control/order.pdf?orderId=WSCO1
> In the above URL, the parameter 'orderId' has the value 'WSCO1' and after
> incrementing the value to 'WSCO10001' or 'WSCO10002' will download the
> receipt of other orders which have been placed by other users.
> All the available order receipts can be downloaded by running an automated
> tool (Burp Intruder) on the parameter 'orderId=WSCOX'
> I have successfully tested this by using 2 different accounts: DemoCustomer
> and DemoCustomer2 ([~jleroux] edited)
> An attacker can download order receipts of other users and this could lead to
> information disclosure.
> The only real solution to this issue is to implement access control. The user
> needs to be authorized for the requested information before the server
> provides it.
> Reference:https://blog.detectify.com/2016/05/25/owasp-top-10-insecure-direct-object-reference-4/
> {quote}
> Only ecommerce is affected because we have secure permissions in backorder
> components (ERP)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (OFBIZ-11836) IDOR vulnerability in the order processing feature in ecommerce component
[
https://issues.apache.org/jira/browse/OFBIZ-11836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-11836:
Description:
Harshit Shukla [mailto:harshit.sh...@gmail.com]reported this IDOR vulnerability
to the OFBiz security team, and we thank him for that.
I'll later quote here his email message when the vulnerability will be fixed.
It's a post-auth vulnerability so we did not ask for a CVE.
Here is Harshit's message slightly edited:
{quote}
https://demo-stable.ofbiz.apache.org/ecommerce/control/order.pdf?orderId=WSCO1
In the above URL, the parameter 'orderId' has the value 'WSCO1' and after
incrementing the value to 'WSCO10001' or 'WSCO10002' will download the receipt
of other orders which have been placed by other users.
All the available order receipts can be downloaded by running an automated tool
(Burp Intruder) on the parameter 'orderId=WSCOX'
I have successfully tested this by using 2 different accounts: DemoCustomer and
DemoCustomer2 ([~jleroux] edited)
An attacker can download order receipts of other users and this could lead to
information disclosure.
The only real solution to this issue is to implement access control. The user
needs to be authorized for the requested information before the server provides
it.
Reference:https://blog.detectify.com/2016/05/25/owasp-top-10-insecure-direct-object-reference-4/
{quote}
Only ecommerce is affected because we have secure permissions in backorder
components (ERP)
was:
Harshit Shukla [mailto:harshit.sh...@gmail.com]reported this IDOR vulnerability
to the OFBiz security team, and we thank him for that.
I'll later quote here his email message when the vulnerability will be fixed.
It's a post-auth vulnerability so we did not ask for a CVE.
> IDOR vulnerability in the order processing feature in ecommerce component
> -
>
> Key: OFBIZ-11836
> URL: https://issues.apache.org/jira/browse/OFBIZ-11836
> Project: OFBiz
> Issue Type: Sub-task
> Components: ecommerce, order
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Major
>
> Harshit Shukla [mailto:harshit.sh...@gmail.com]reported this IDOR
> vulnerability to the OFBiz security team, and we thank him for that.
> I'll later quote here his email message when the vulnerability will be fixed.
> It's a post-auth vulnerability so we did not ask for a CVE.
> Here is Harshit's message slightly edited:
> {quote}
> https://demo-stable.ofbiz.apache.org/ecommerce/control/order.pdf?orderId=WSCO1
> In the above URL, the parameter 'orderId' has the value 'WSCO1' and after
> incrementing the value to 'WSCO10001' or 'WSCO10002' will download the
> receipt of other orders which have been placed by other users.
> All the available order receipts can be downloaded by running an automated
> tool (Burp Intruder) on the parameter 'orderId=WSCOX'
> I have successfully tested this by using 2 different accounts: DemoCustomer
> and DemoCustomer2 ([~jleroux] edited)
> An attacker can download order receipts of other users and this could lead to
> information disclosure.
> The only real solution to this issue is to implement access control. The user
> needs to be authorized for the requested information before the server
> provides it.
> Reference:https://blog.detectify.com/2016/05/25/owasp-top-10-insecure-direct-object-reference-4/
> {quote}
> Only ecommerce is affected because we have secure permissions in backorder
> components (ERP)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (OFBIZ-11836) IDOR vulnerability in the order processing feature in ecommerce component
[ https://issues.apache.org/jira/browse/OFBIZ-11836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-11836: Summary: IDOR vulnerability in the order processing feature in ecommerce component (was: IDOR vulnerability in the order processing feature) > IDOR vulnerability in the order processing feature in ecommerce component > - > > Key: OFBIZ-11836 > URL: https://issues.apache.org/jira/browse/OFBIZ-11836 > Project: OFBiz > Issue Type: Sub-task > Components: ecommerce, order >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > > Harshit Shukla [mailto:harshit.sh...@gmail.com]reported this IDOR > vulnerability to the OFBiz security team, and we thank him for that. > I'll later quote here his email message when the vulnerability will be fixed. > It's a post-auth vulnerability so we did not ask for a CVE. -- This message was sent by Atlassian Jira (v8.3.4#803005)
