VirtueMart Forum

VirtueMart 2 + 3 => Virtuemart Development and bug reports => Topic started by: magabriel on February 09, 2012, 08:13:26 am

Title: Security bug: registered user can view address or another user on checkout
Post by: magabriel on February 09, 2012, 08:13:26 am
Joomla 1.7 Vm 2.0.2

During checkout, a registered user can view the address or another user during checkout. Steps to reproduce:
1. Put something on cart.
2. Checkout and register or login with user (user1).
3. Create an alternative shipping address for user1 and return to cart view. Now user1 should have 2 addresses: the normal billing address and an alternative shipping address.
4. Click button "Add address" under column "Shipment address" and the "Add address" page is shown, where at the bottom you should find a clickable list of all the alternative addresses for this user (only one, as created on step 2).
5. And now, if you click on the alt address link you will see that is of the following form: http://example.com/index.php/shop/user/edit_cart_ship_to?cid[0]=50&virtuemart_userinfo_id=5
6. Just change the number in virtuemart_userinfo_id=5 to another one an you will see the address of another registered user, even the shop's main address (that should be number 1).

I think this is a major security bug that can lead to private user's information being disclosed.




Title: Re: Security bug: registered user can view address or another user on checkout
Post by: Milbo on February 09, 2012, 11:05:33 am
You did that as admin?
Title: Re: Security bug: registered user can view address or another user on checkout
Post by: Milbo on February 09, 2012, 22:04:07 pm
For explanation, when you did that as admin, then there is no security leak. I tried todo it as anonymous and I get just empty data.