Author Topic: Information disclosure  (Read 614 times)

VampiRUS

  • Beginner
  • *
  • Posts: 9
Information disclosure
« on: April 28, 2013, 02:39:21 am »
Registered user can to view all orders from guest.
How to reproduce?:
1.To make order without registration as a guest.
2. To make order as a registered user.
3. To get link to order by clicking print icon  - http://shop/index.php?option=com_virtuemart&view=orders&layout=details&tmpl=component&virtuemart_order_id=2
4. go to  http://shop/index.php?option=com_virtuemart&view=orders&layout=details&tmpl=component&virtuemart_order_id=1
Result: you can to see billing and shipping info

Problem code:
components/com_virtuemart/views/orders/view.html.php:105
Code: [Select]
if(!empty($orderDetails['details']['BT']->virtuemart_user_id)){

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 9937
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: Information disclosure
« Reply #1 on: April 29, 2013, 11:33:55 am »
Hello VampiRUS,
very intersting error. I will take a look and solve it.
I should fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 9937
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: Information disclosure
« Reply #2 on: April 29, 2013, 14:53:12 pm »
Just use
Code: [Select]
if(!class_exists('Permissions')) require(JPATH_VM_ADMINISTRATOR.DS.'helpers'.DS.'permissions.php');
if(!Permissions::getInstance()->check("admin")) {
   if(!isset($orderDetails['details']['BT']->virtuemart_user_id)){
      $orderDetails['details']['BT']->virtuemart_user_id = 0;
   }
   if ($orderDetails['details']['BT']->virtuemart_user_id != $cuid) {
      echo JText::_('COM_VIRTUEMART_RESTRICTED_ACCESS');
      return;
   }
}

But I think I will create a function in the model, which should do it.
I should fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/