Author Topic: Security bug: registered user can view address or another user on checkout  (Read 1246 times)

magabriel

  • Beginner
  • *
  • Posts: 1
Joomla 1.7 Vm 2.0.2

During checkout, a registered user can view the address or another user during checkout. Steps to reproduce:
1. Put something on cart.
2. Checkout and register or login with user (user1).
3. Create an alternative shipping address for user1 and return to cart view. Now user1 should have 2 addresses: the normal billing address and an alternative shipping address.
4. Click button "Add address" under column "Shipment address" and the "Add address" page is shown, where at the bottom you should find a clickable list of all the alternative addresses for this user (only one, as created on step 2).
5. And now, if you click on the alt address link you will see that is of the following form: http://example.com/index.php/shop/user/edit_cart_ship_to?cid[0]=50&virtuemart_userinfo_id=5
6. Just change the number in virtuemart_userinfo_id=5 to another one an you will see the address of another registered user, even the shop's main address (that should be number 1).

I think this is a major security bug that can lead to private user's information being disclosed.





Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 10092
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: Security bug: registered user can view address or another user on checkout
« Reply #1 on: February 09, 2012, 11:05:33 am »
You did that as admin?
I should fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 10092
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: Security bug: registered user can view address or another user on checkout
« Reply #2 on: February 09, 2012, 22:04:07 pm »
For explanation, when you did that as admin, then there is no security leak. I tried todo it as anonymous and I get just empty data.
I should fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/