Forrest Rae created OFBIZ-6207:
----------------------------------

             Summary: Anyone can view any Request or Quote
                 Key: OFBIZ-6207
                 URL: https://issues.apache.org/jira/browse/OFBIZ-6207
             Project: OFBiz
          Issue Type: Bug
          Components: specialpurpose/ecommerce
    Affects Versions: Trunk
            Reporter: Forrest Rae
            Priority: Critical
         Attachments: OFBIZ-6207.patch

This is a security bug in the ecommerce application.  Anyone can view any quote 
or request in the system regardless of the associated partyId.  They can do 
this via URL parameter manipulation.

Reproduction:
1) Login to the ecommerce application as DemoCustomer.
2) Navigate to 
http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9000
 to view your own request.
3) Navigate to 
http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9001
 to view DemoCustAgent's request.
4) Navigate to 
http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9002
 to view DemoCustomer2's request.

Same goes for Quotes, although there are no quotes in the Demo data.  The 
attach patch fixes this issue.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to