Author Topic: customer details viewable (Read 1291 times)

tomphillipspcs · « **on:** July 26, 2017, 11:28:30 am »

It seems that customers can view each others details

eg

orders/number/ORD-723

shows names/address details, and just by chagnign order number you can see other details?

How do I fix this?

AH · « **Reply #1 on:** July 26, 2017, 14:04:07 pm »

Provide more information

as well as:

http://forum.virtuemart.net/index.php?topic=79799.0

tomphillipspcs · « **Reply #2 on:** July 26, 2017, 14:59:02 pm »

VirtueMart 3.0.18
PHP 5.4.45
Joomla 3.6.5

I don't want to give live site info - but the custoemr details are viewable with anyone who is logged in "registered"

Jose M. · « **Reply #3 on:** July 26, 2017, 18:01:38 pm »

Hi!
The details of the order are visible even if you are not logged in, but the url must contain the order number and password of the order, which in principle only the real buyer knows.

Jose

tomphillipspcs · « **Reply #4 on:** July 26, 2017, 18:41:19 pm »

Its viewble with URLs like this

For example, order was 620:
http://upsobags.co.uk/bags/orders/number/ORD-620

If I'm logged in (registred user) , I can change that 620 to 723

http://upsobags.co.uk/bags/orders/number/ORD-723

Then I can see the order details and all of the other information on that order.

so there is no need for a username/password in the URL

Jose M. · « **Reply #5 on:** July 26, 2017, 19:04:48 pm »

I am using version VM 3.2.3.9587 and I can not see an order without passing the password in the url. Does the same be logged or not.

Jose

AH · « **Reply #6 on:** July 27, 2017, 10:49:14 am »

Quote

VirtueMart 3.0.18
PHP 5.4.45
Joomla 3.6.5

All these software versions are out of date

Joomla has vulnerabilities stated on their security pages
VM is also out of date

I suggest you upgrade before going any further:

http://virtuemart.net/news/latest-news/480-security-release-of-joomla-3-7-be-prepared

https://developer.joomla.org/security-centre.html

tomphillipspcs · « **Reply #7 on:** July 27, 2017, 12:54:31 pm »

That is now all updated to latest version - there are no signs of any compromise on the server - no file modifications etc.

Any ideas of what to do - it is still possible to access all invoices by those URLS

Joomla version, 3.7.4.
PHP 5.4.45
VirtueMart 3.2.2

AH · « **Reply #8 on:** July 27, 2017, 13:17:14 pm »

Make sure you are not logged in as admin or customer

Then try and use those URLS

you will see this "restricted access" message

tomphillipspcs · « **Reply #9 on:** July 27, 2017, 13:20:21 pm »

it does seem to be fixed now after the joomla/virtuemart update

it was possible for customers who logged in to see other customers order details (so logged in as registered users)

AH · « **Reply #10 on:** July 27, 2017, 13:38:20 pm »

Are you confirming that after the update, that this is no longer an issue for you?

tomphillipspcs · « **Reply #11 on:** July 27, 2017, 14:29:19 pm »

thats correct

VirtueMart Forum

VirtueMart & Joomla! - The Future of eCommerce

Author Topic: customer details viewable (Read 1291 times)

tomphillipspcs

customer details viewable

AH

Re: customer details viewable

tomphillipspcs

Re: customer details viewable

Jose M.

Re: customer details viewable

tomphillipspcs

Re: customer details viewable

Jose M.

Re: customer details viewable

AH

Re: customer details viewable

tomphillipspcs

Re: customer details viewable

AH

Re: customer details viewable

tomphillipspcs

Re: customer details viewable

AH

Re: customer details viewable

tomphillipspcs

Re: customer details viewable