It seems that customers can view each others details
eg
orders/number/ORD-723
shows names/address details, and just by chagnign order number you can see other details?
How do I fix this?
Provide more information
as well as:
http://forum.virtuemart.net/index.php?topic=79799.0 (http://forum.virtuemart.net/index.php?topic=79799.0)
VirtueMart 3.0.18
PHP 5.4.45
Joomla 3.6.5
I don't want to give live site info - but the custoemr details are viewable with anyone who is logged in "registered"
Hi!
The details of the order are visible even if you are not logged in, but the url must contain the order number and password of the order, which in principle only the real buyer knows.
Jose
Its viewble with URLs like this
For example, order was 620:
http://upsobags.co.uk/bags/orders/number/ORD-620
If I'm logged in (registred user) , I can change that 620 to 723
http://upsobags.co.uk/bags/orders/number/ORD-723
Then I can see the order details and all of the other information on that order.
so there is no need for a username/password in the URL
I am using version VM 3.2.3.9587 and I can not see an order without passing the password in the url. Does the same be logged or not.
Jose
QuoteVirtueMart 3.0.18
PHP 5.4.45
Joomla 3.6.5
All these software versions are out of date
Joomla has vulnerabilities stated on their security pages
VM is also out of date
I suggest you upgrade before going any further:
http://virtuemart.net/news/latest-news/480-security-release-of-joomla-3-7-be-prepared (http://virtuemart.net/news/latest-news/480-security-release-of-joomla-3-7-be-prepared)
https://developer.joomla.org/security-centre.html (https://developer.joomla.org/security-centre.html)
That is now all updated to latest version - there are no signs of any compromise on the server - no file modifications etc.
Any ideas of what to do - it is still possible to access all invoices by those URLS
Joomla version, 3.7.4.
PHP 5.4.45
VirtueMart 3.2.2
Make sure you are not logged in as admin or customer
Then try and use those URLS
you will see this "restricted access" message
it does seem to be fixed now after the joomla/virtuemart update
it was possible for customers who logged in to see other customers order details (so logged in as registered users)
Are you confirming that after the update, that this is no longer an issue for you?
thats correct