News:

Support the VirtueMart project and become a member

Main Menu

customer details viewable

Started by tomphillipspcs, July 26, 2017, 11:28:30 AM

Previous topic - Next topic

tomphillipspcs

It seems that customers can view each others details

eg

orders/number/ORD-723

shows names/address details, and just by chagnign order number you can see other details?

How do I fix this?

AH

Regards
A

Joomla 4.4.5
php 8.1

tomphillipspcs

VirtueMart 3.0.18
PHP 5.4.45
Joomla 3.6.5

I don't want to give live site info - but the custoemr details are viewable with anyone who is logged in "registered"


Jose M.

Hi!
The details of the order are visible even if you are not logged in, but the url must contain the order number and password of the order, which in principle only the real buyer knows.

Jose

tomphillipspcs

Its viewble with URLs like this

For example, order was 620:
http://upsobags.co.uk/bags/orders/number/ORD-620

If I'm logged in (registred user) , I can change that 620 to 723

http://upsobags.co.uk/bags/orders/number/ORD-723

Then I can see the order details and all of the other information on that order.

so there is no need for a username/password in the URL


Jose M.

I am using version VM 3.2.3.9587 and I can not see an order without passing the password in the url. Does the same be logged or not.

Jose

AH

QuoteVirtueMart 3.0.18
PHP 5.4.45
Joomla 3.6.5


All these software versions are out of date

Joomla has vulnerabilities stated on their security pages
VM is also out of date

I suggest you upgrade before going any further:

http://virtuemart.net/news/latest-news/480-security-release-of-joomla-3-7-be-prepared


https://developer.joomla.org/security-centre.html




Regards
A

Joomla 4.4.5
php 8.1

tomphillipspcs

That is now all updated to latest version - there are no signs of any compromise on the server - no file modifications etc.

Any ideas of what to do - it is still possible to access all invoices by those URLS

Joomla version, 3.7.4.
PHP 5.4.45
VirtueMart 3.2.2

AH

Make sure you are not logged in as admin or customer

Then try and use those URLS

you will see this "restricted access" message

Regards
A

Joomla 4.4.5
php 8.1

tomphillipspcs

it does seem to be fixed now after the joomla/virtuemart update

it was possible for customers who logged in to see other customers order details (so logged in as registered users)


AH

Are you confirming that after the update, that this is no longer an issue for you?
Regards
A

Joomla 4.4.5
php 8.1

tomphillipspcs