VirtueMart Forum

VirtueMart 2 + 3 + 4 => Security (https) / Performance / SEO, SEF, URLs => Topic started by: tomphillipspcs on July 26, 2017, 11:28:30 AM

Title: customer details viewable
Post by: tomphillipspcs on July 26, 2017, 11:28:30 AM
It seems that customers can view each others details

eg

orders/number/ORD-723

shows names/address details, and just by chagnign order number you can see other details?

How do I fix this?
Title: Re: customer details viewable
Post by: AH on July 26, 2017, 14:04:07 PM
Provide more information

as well as:

http://forum.virtuemart.net/index.php?topic=79799.0 (http://forum.virtuemart.net/index.php?topic=79799.0)
Title: Re: customer details viewable
Post by: tomphillipspcs on July 26, 2017, 14:59:02 PM
VirtueMart 3.0.18
PHP 5.4.45
Joomla 3.6.5

I don't want to give live site info - but the custoemr details are viewable with anyone who is logged in "registered"

Title: Re: customer details viewable
Post by: Jose M. on July 26, 2017, 18:01:38 PM
Hi!
The details of the order are visible even if you are not logged in, but the url must contain the order number and password of the order, which in principle only the real buyer knows.

Jose
Title: Re: customer details viewable
Post by: tomphillipspcs on July 26, 2017, 18:41:19 PM
Its viewble with URLs like this

For example, order was 620:
http://upsobags.co.uk/bags/orders/number/ORD-620

If I'm logged in (registred user) , I can change that 620 to 723

http://upsobags.co.uk/bags/orders/number/ORD-723

Then I can see the order details and all of the other information on that order.

so there is no need for a username/password in the URL

Title: Re: customer details viewable
Post by: Jose M. on July 26, 2017, 19:04:48 PM
I am using version VM 3.2.3.9587 and I can not see an order without passing the password in the url. Does the same be logged or not.

Jose
Title: Re: customer details viewable
Post by: AH on July 27, 2017, 10:49:14 AM
QuoteVirtueMart 3.0.18
PHP 5.4.45
Joomla 3.6.5


All these software versions are out of date

Joomla has vulnerabilities stated on their security pages
VM is also out of date

I suggest you upgrade before going any further:

http://virtuemart.net/news/latest-news/480-security-release-of-joomla-3-7-be-prepared (http://virtuemart.net/news/latest-news/480-security-release-of-joomla-3-7-be-prepared)


https://developer.joomla.org/security-centre.html (https://developer.joomla.org/security-centre.html)



Title: Re: customer details viewable
Post by: tomphillipspcs on July 27, 2017, 12:54:31 PM
That is now all updated to latest version - there are no signs of any compromise on the server - no file modifications etc.

Any ideas of what to do - it is still possible to access all invoices by those URLS

Joomla version, 3.7.4.
PHP 5.4.45
VirtueMart 3.2.2
Title: Re: customer details viewable
Post by: AH on July 27, 2017, 13:17:14 PM
Make sure you are not logged in as admin or customer

Then try and use those URLS

you will see this "restricted access" message

Title: Re: customer details viewable
Post by: tomphillipspcs on July 27, 2017, 13:20:21 PM
it does seem to be fixed now after the joomla/virtuemart update

it was possible for customers who logged in to see other customers order details (so logged in as registered users)

Title: Re: customer details viewable
Post by: AH on July 27, 2017, 13:38:20 PM
Are you confirming that after the update, that this is no longer an issue for you?
Title: Re: customer details viewable
Post by: tomphillipspcs on July 27, 2017, 14:29:19 PM
thats correct