Return-Path: X-Original-To: apmail-ofbiz-dev-archive@www.apache.org Delivered-To: apmail-ofbiz-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3E94317AFB for ; Tue, 5 May 2015 10:34:01 +0000 (UTC) Received: (qmail 37665 invoked by uid 500); 5 May 2015 10:34:00 -0000 Delivered-To: apmail-ofbiz-dev-archive@ofbiz.apache.org Received: (qmail 37637 invoked by uid 500); 5 May 2015 10:34:00 -0000 Mailing-List: contact dev-help@ofbiz.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ofbiz.apache.org Delivered-To: mailing list dev@ofbiz.apache.org Received: (qmail 37518 invoked by uid 99); 5 May 2015 10:34:00 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 May 2015 10:34:00 +0000 Date: Tue, 5 May 2015 10:34:00 +0000 (UTC) From: "Deepak Dixit (JIRA)" To: dev@ofbiz.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (OFBIZ-6207) Anyone can view any Request or Quote MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/OFBIZ-6207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14528238#comment-14528238 ] Deepak Dixit commented on OFBIZ-6207: ------------------------------------- Thanks Forrest Rae for the but report and patch. Ps: Please do not mix formatting changes with functional changes, its difficult to review the patch > Anyone can view any Request or Quote > ------------------------------------ > > Key: OFBIZ-6207 > URL: https://issues.apache.org/jira/browse/OFBIZ-6207 > Project: OFBiz > Issue Type: Bug > Components: specialpurpose/ecommerce > Affects Versions: Trunk, 13.07.01 > Reporter: Forrest Rae > Assignee: Deepak Dixit > Priority: Critical > Labels: security > Attachments: OFBIZ-6207-fourth-attempt.patch > > > This is a security bug in the ecommerce application. Anyone can view any quote or request in the system regardless of the associated partyId. They can do this via URL parameter manipulation. > Reproduction: > 1) Login to the ecommerce application as DemoCustomer. > 2) Navigate to http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9000 to view your own request. > 3) Navigate to http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9001 to view DemoCustAgent's request. > 4) Navigate to http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9002 to view DemoCustomer2's request. > Same goes for Quotes, although there are no quotes in the Demo data. The attach patch fixes this issue. > Would like this issue back ported to release 13.07 please. -- This message was sent by Atlassian JIRA (v6.3.4#6332)