Security issue?

For general questions and discussions specific to the AbleCommerce 7.0 Asp.Net product.
Post Reply
robgrigg
Lieutenant (LT)
Lieutenant (LT)
Posts: 76
Joined: Fri Jun 12, 2009 2:22 am

Security issue?

Post by robgrigg » Sat Oct 10, 2009 1:24 am

Hi,
whilst making some modifications to the reciept page I noticed that the order shown is controlled by the open query string.

Checkout/Receipt.aspx?OrderNumber=18&OrderId=118

by simply changing this to;

Checkout/Receipt.aspx?OrderNumber=17&OrderId=117

I was able to see an order for a different user. I am sure this has been addressed, can you please let me know what to do to remove this issue.

Cheers,

Rob.
Top
User avatar
mazhar
Master Yoda
Master Yoda
Posts: 5084
Joined: Wed Jul 09, 2008 8:21 am
Contact:
Contact mazhar

Re: Security issue?

Post by mazhar » Sat Oct 10, 2009 4:30 am

I am unable to reproduce it on 7.0.3. What is your application version?
Top
User avatar
jmestep
AbleCommerce Angel
Posts: 8164
Joined: Sun Feb 29, 2004 8:04 pm
Location: Dayton, OH
Contact:
Contact jmestep

Re: Security issue?

Post by jmestep » Sat Oct 10, 2009 6:21 am

I was unable to reproduce on 7.0.2. Have you changed the web.config file in the members folder where it denies all users except on the wishlist?
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx
Top
User avatar
igavemybest
Captain (CAPT)
Captain (CAPT)
Posts: 388
Joined: Sun Apr 06, 2008 5:47 pm

Re: Security issue?

Post by igavemybest » Sat Oct 10, 2009 9:40 am

Can you do this just when logged is as an admin? You said you were modifying something. Try it not logged in as an admin.
Top
Post Reply

Return to “AbleCommerce 7.0 Asp.Net Shopping Cart”