CRITICAL BUG. In shopper email order sent login vendor (Virtuemart 2.0.8)

Started by serapol, July 01, 2012, 13:18:34 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

serapol

July 01, 2012, 13:18:34 PM
I noticed that the letter of the order for the buyer sent unnecessary information Vendor. Sent to the Vendor username. This is a security breach.

The devil is in the file administrator/components/com_virtuemart/models/userfields.php on line 369. You need to add one more parameter in the condition

It was
Code Select

if(VmConfig::get('oncheckout_show_register',1) and $type=='BT'){

It must be
Code Select

if(VmConfig::get('oncheckout_show_register',1) and $type=='BT' and $layoutName != 'mail'){


If you do not add the following will not be carrying out the condition of the array respectively, and do not leave the registration data vendor.

Milbo

#1
July 01, 2012, 15:37:23 PM
Interesting method to solve this

we relase this evening a version A, with another solution to solve it. thx
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

serapol

#2
July 01, 2012, 18:58:56 PM
You can of course and on the other. For example, in the condition on line 387 to add a new restriction

Code Select

if(((!$register or $type =='ST') and $layoutName !='edit') or $layoutName == 'mail'){


I tried to solve quickly and easily, because the already running this version on the main site.

In general, everything works fine  :)

If something suddenly caught, be sure to write
Print
Go Up Pages1
User actions