News:

Support the VirtueMart project and become a member

Main Menu

Information disclosure

Started by VampiRUS, April 28, 2013, 02:39:21 AM

Previous topic - Next topic

VampiRUS

Registered user can to view all orders from guest.
How to reproduce?:
1.To make order without registration as a guest.
2. To make order as a registered user.
3. To get link to order by clicking print icon  - http://shop/index.php?option=com_virtuemart&view=orders&layout=details&tmpl=component&virtuemart_order_id=2
4. go to  http://shop/index.php?option=com_virtuemart&view=orders&layout=details&tmpl=component&virtuemart_order_id=1
Result: you can to see billing and shipping info

Problem code:
components/com_virtuemart/views/orders/view.html.php:105
if(!empty($orderDetails['details']['BT']->virtuemart_user_id)){

Milbo

Hello VampiRUS,
very intersting error. I will take a look and solve it.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Milbo

#2
Just use

if(!class_exists('Permissions')) require(JPATH_VM_ADMINISTRATOR.DS.'helpers'.DS.'permissions.php');
if(!Permissions::getInstance()->check("admin")) {
   if(!isset($orderDetails['details']['BT']->virtuemart_user_id)){
      $orderDetails['details']['BT']->virtuemart_user_id = 0;
   }
   if ($orderDetails['details']['BT']->virtuemart_user_id != $cuid) {
      echo JText::_('COM_VIRTUEMART_RESTRICTED_ACCESS');
      return;
   }
}


But I think I will create a function in the model, which should do it.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/