CRITICAL BUG. In shopper email order sent login vendor (Virtuemart 2.0.8)

Started by serapol, July 01, 2012, 13:18:34 PM

Previous topic - Next topic

serapol

I noticed that the letter of the order for the buyer sent unnecessary information Vendor. Sent to the Vendor username. This is a security breach.

The devil is in the file administrator/components/com_virtuemart/models/userfields.php on line 369. You need to add one more parameter in the condition

It was

if(VmConfig::get('oncheckout_show_register',1) and $type=='BT'){

It must be

if(VmConfig::get('oncheckout_show_register',1) and $type=='BT' and $layoutName != 'mail'){


If you do not add the following will not be carrying out the condition of the array respectively, and do not leave the registration data vendor.

Milbo

Interesting method to solve this

we relase this evening a version A, with another solution to solve it. thx
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

serapol

You can of course and on the other. For example, in the condition on line 387 to add a new restriction


if(((!$register or $type =='ST') and $layoutName !='edit') or $layoutName == 'mail'){


I tried to solve quickly and easily, because the already running this version on the main site.

In general, everything works fine  :)

If something suddenly caught, be sure to write