Security bug: registered user can view address or another user on checkout

Started by magabriel, February 09, 2012, 08:13:26 AM

Previous topic - Next topic

magabriel

Joomla 1.7 Vm 2.0.2

During checkout, a registered user can view the address or another user during checkout. Steps to reproduce:
1. Put something on cart.
2. Checkout and register or login with user (user1).
3. Create an alternative shipping address for user1 and return to cart view. Now user1 should have 2 addresses: the normal billing address and an alternative shipping address.
4. Click button "Add address" under column "Shipment address" and the "Add address" page is shown, where at the bottom you should find a clickable list of all the alternative addresses for this user (only one, as created on step 2).
5. And now, if you click on the alt address link you will see that is of the following form: http://example.com/index.php/shop/user/edit_cart_ship_to?cid
  • =50&virtuemart_userinfo_id=5[/b]
    6. Just change the number in virtuemart_userinfo_id=5 to another one an you will see the address of another registered user, even the shop's main address (that should be number 1).

    I think this is a major security bug that can lead to private user's information being disclosed.





Milbo

Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Milbo

For explanation, when you did that as admin, then there is no security leak. I tried todo it as anonymous and I get just empty data.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/