News:

Looking for documentation? Take a look on our wiki

Main Menu

serious problem Order Detail

Started by antonino78, October 31, 2012, 16:14:26 PM

Previous topic - Next topic

antonino78

I noticed that the page of the order form can show anyone.
Just enter the url in the browser receives the customer with the order.
example: view your order online
This seems to me a very serious thing because I can see all the customer data! >:(

AH

Could you explain in more detail please including version of VM
Regards
A

Joomla 3.10.11
php 8.0

jenkinhill

And are you still logged in as superadmin when you do that?
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

antonino78

#3
the page that opens is the (order detail) site administrator.
I did a test with another computer and the page is always open!
The url that problem is this: http://www.mysite/index.php?option=com_virtuemart&view=orders&layout=details&order_number=00b000&order_pass=p_0c5fa

joomla 2.5 - virtuemart 2.0.12f

bytelord

hmm,

yes .. because your url you send have the order number and order password in the url ... this is used when a client checkout as a guest (or not) to review his order ... so ... check your url
Production: Joomla 2.5.8 | VM 2.0.14 | PHP 5.3.13
Testing     : Joomla 2.5.8 | VM 2.0.16 | PHP 5.3.8
Testing     : Joomla 2.5.8 |    VM 2.1   | PHP 5.3.8

- Don't Forget to mark thread as solved when it is solved!
- Please do not PM with support questions, use the forum!

antonino78

Quote from: bytelord on November 02, 2012, 11:35:05 AM
hmm,

yes .. because your url you send have the order number and order password in the url ... this is used when a client checkout as a guest (or not) to review his order ... so ... check your url

But there is a risk that this url can be displayed on the web?
This can cause problems with customers because their data can be viewed by anyone

bytelord

and how can be viewed by anyone? That url is send it to the customer mail address when he orders ...
Please explain exactly the issue ... where did you find that url? from the email you received after the order? yes this is complete normally and secure ... each order have different number and password that is been created using numbers and letters ...
Production: Joomla 2.5.8 | VM 2.0.14 | PHP 5.3.13
Testing     : Joomla 2.5.8 | VM 2.0.16 | PHP 5.3.8
Testing     : Joomla 2.5.8 |    VM 2.1   | PHP 5.3.8

- Don't Forget to mark thread as solved when it is solved!
- Please do not PM with support questions, use the forum!