AbleCommerce Shopping Cart Software


http://forums.ablecommerce.com/

Security issue?

http://forums.ablecommerce.com/viewtopic.php?f=42&t=12509

Page 1 of 1

Security issue?

Posted: Sat Oct 10, 2009 1:24 am
by robgrigg
Hi,
whilst making some modifications to the reciept page I noticed that the order shown is controlled by the open query string.

Checkout/Receipt.aspx?OrderNumber=18&OrderId=118

by simply changing this to;

Checkout/Receipt.aspx?OrderNumber=17&OrderId=117

I was able to see an order for a different user. I am sure this has been addressed, can you please let me know what to do to remove this issue.

Cheers,

Rob.

Re: Security issue?

Posted: Sat Oct 10, 2009 4:30 am
by mazhar
I am unable to reproduce it on 7.0.3. What is your application version?

Re: Security issue?

Posted: Sat Oct 10, 2009 6:21 am
by jmestep
I was unable to reproduce on 7.0.2. Have you changed the web.config file in the members folder where it denies all users except on the wishlist?

Re: Security issue?

Posted: Sat Oct 10, 2009 9:40 am
by igavemybest
Can you do this just when logged is as an admin? You said you were modifying something. Try it not logged in as an admin.
All times are UTC-05:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/