I noticed that the page of the order form can show anyone.
Just enter the url in the browser receives the customer with the order.
example: view your order online
This seems to me a very serious thing because I can see all the customer data! >:(
Could you explain in more detail please including version of VM
And are you still logged in as superadmin when you do that?
the page that opens is the (order detail) site administrator.
I did a test with another computer and the page is always open!
The url that problem is this: http://www.mysite/index.php?option=com_virtuemart&view=orders&layout=details&order_number=00b000&order_pass=p_0c5fa
joomla 2.5 - virtuemart 2.0.12f
hmm,
yes .. because your url you send have the order number and order password in the url ... this is used when a client checkout as a guest (or not) to review his order ... so ... check your url
Quote from: bytelord on November 02, 2012, 11:35:05 AM
hmm,
yes .. because your url you send have the order number and order password in the url ... this is used when a client checkout as a guest (or not) to review his order ... so ... check your url
But there is a risk that this url can be displayed on the web?
This can cause problems with customers because their data can be viewed by anyone
and how can be viewed by anyone? That url is send it to the customer mail address when he orders ...
Please explain exactly the issue ... where did you find that url? from the email you received after the order? yes this is complete normally and secure ... each order have different number and password that is been created using numbers and letters ...