Logged in Customer can view any guest order details

[WebStuff]

I know random order numbers or at least a section of them would partly solve this but that is not necessarily the issue here. To me the issue is that the order_pass seems to be not checked if the user is logged in and user id is not existant as it's a guest account.

If a customer logs in then goes to the url :  index.php?option=com_virtuemart&layout=details&view=orders&order_number=XXXXX&order_pass=p_YYYYYYY to view one of their orders.
If they can then change the order_number to one that exists and is for a guest and they delete the "&order_pass=p_YYYYYYY" part from url then they can view the details of other customer's orders including address, phone, payment type, etc.

I've managed to get it to work by changing the section in administrator/components/com_virtuemart/models/orders.php from line 184:

Code Select Expand


if(empty($orderDetails['details']['BT']->virtuemart_user_id)) {
$sess = JFactory::getSession();
$orderNumber = vRequest::getString('order_number',$orderNumber);
$tries = $sess->get('getOrderDetails.'.$orderNumber,0);

                if ($orderPass = vRequest::getString('order_pass',$orderPass)){
                    if($tries>5){
vmError ('Too many tries, Invalid order_number/password userid '.$cuid.' '.$virtuemart_order_id, 'COM_VIRTUEMART_RESTRICTED_ACCESS');
return false;
}
if($orderDetails['details']['order_pass'] != $orderPass){
$tries++;
$sess->set('getOrderDetails.'.$orderNumber,$tries);
vmError(vmText::_('COM_VIRTUEMART_RESTRICTED_ACCESS').' by userid '.$cuid.' '.$virtuemart_order_id, 'COM_VIRTUEMART_RESTRICTED_ACCESS');
return false;
} else {
// ADDED BY ME
if($tries<5){
return $orderDetails;
}
// END ADDED CODE
//We could update the invoice with the userid to connect guest orders to the user
}
}
                return false; // ADDED BY ME

SEF ON
VirtueMart 3.0.18
Joomla! 3.6.4

[K&K media production]

tried with vm 3.0.18.1 and can't confirm this issue

[Ghost]

Can confirm this on VM 3.0.18.2.

[Milbo]

I just noticed a missing return false, which gives registered users the opportunity to open "guest" orders, damn.

The normal random chars are 4. So usually the security is still by 1336336 (34^4). The problem here is actually that it also does not count the tries. A good reason to make a security fix.

[Milbo]

What about this function?

Code Select Expand


public function getMyOrderDetails($orderID = 0, $orderNumber = false, $orderPass = false, $userlang=false){

$_currentUser = JFactory::getUser();
$cuid = $_currentUser->get('id');

$virtuemart_order_id = vRequest::getInt('virtuemart_order_id',$orderID) ;
$orderNumber = vRequest::getString('order_number',$orderNumber);

$sess = JFactory::getSession();
$tries = $sess->get('getOrderDetails.'.$orderNumber,0);
if($tries>5){
vmDebug ('Too many tries, Invalid order_number/password '.vmText::_('COM_VIRTUEMART_RESTRICTED_ACCESS'));
vmError ('Too many tries, Invalid order_number/password guest '.$orderNumber.' '.$orderPass , 'COM_VIRTUEMART_RESTRICTED_ACCESS');
return false;
}

//Extra check, when a user is logged in, else we use the guest method
if(!empty($cuid)){
if (!$virtuemart_order_id and $orderNumber) {
$virtuemart_order_id = VirtueMartModelOrders::getOrderIdByOrderNumber($orderNumber);
}
if(!empty($virtuemart_order_id)){
$orderDetails = $this->getOrder($virtuemart_order_id,$userlang);
if($orderDetails['details']['BT']->virtuemart_user_id == $cuid or vmAccess::manager('orders')) {
return $orderDetails;
}
}
}

$orderPass = vRequest::getString('order_pass',$orderPass);

if (!empty($orderNumber) and !empty($orderPass)){

$orderId = $this->getOrderIdByOrderPass($orderNumber,$orderPass);
if($orderId){
return $this->getOrder($orderId,$userlang);
}
}
$tries++;
$sess->set('getOrderDetails.'.$orderNumber,$tries);

vmdebug('getMyOrderDetails COM_VIRTUEMART_RESTRICTED_ACCESS',$orderNumber, $orderPass, $tries);
vmError(vmText::_('COM_VIRTUEMART_RESTRICTED_ACCESS').' by guest '.$orderNumber.' '.$orderPass, 'COM_VIRTUEMART_RESTRICTED_ACCESS');
echo vmText::_('COM_VIRTUEMART_RESTRICTED_ACCESS');
return false;
}


I just turned the logic, mainly. I just missed one false, I checked if a user is not allowed to see the order. The function above checks the opposite, if a user is allowed to see the order. I think it is easier to understand and also safer, because it uses more a white list, than blacklist. It also counts now any try, regardless if you are logged in, or not.

[WebStuff]

Hi Milbo,
Sorry for late reply. The new function getMyOrderDetails seems to have fixed the problem and I'm no longer able to get guest order information if logged in. Thanks very much for your help on this.

[amymattian]

Hi,

got the same problem after updating to 3.0.18. version. But interestingly all the orders we were reported showing in Google results were from the year 2013. So did some research and found this forum post from 2013:
https://forum.virtuemart.net/index.php?topic=116440.15

We have now deleted all orders from the year 2013 and have added a restriction for access for non-logged in users.

G: Anne

[amymattian]

Hi,

while this code has prevented the order details showing up, Google is still somehow seeing the Invoices and Packing lists and their links are appering in Google results. These are the links where you have the order ID, order number and ORDER PASSWORD visible. How can Google see these links and they end up in the Google search results?

- Anne

[jjk]

How can Google see these links and they end up in the Google search results?

Three things which come into my mind:
1. check your 'Safe path' in VM configuration. Maybe you did set it to a public folder like 'htdocs', 'html', 'public_html (depends on your server setup).
2. check if you did rename htaccess.txt to .htaccess in your root folder.
3. check if your site has been hacked before you updated to Joomla 3.6.4 (especially check the user access rights)