This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release17.12 by this push:
new 8120f75 Fixed: IDOR vulnerability in the order processing feature in
ecommerce component (OFBIZ-11836)
8120f75 is described below
commit 8120f75b21186978bc87fafdc9f0b80e2ee500dc
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Jun 26 09:28:49 2020 +0200
Fixed: IDOR vulnerability in the order processing feature in ecommerce
component (OFBIZ-11836)
https://demo-stable.ofbiz.apache.org/ecommerce/control/order.pdf?orderId=WSCO10000
In the above URL, the parameter 'orderId' has the value 'WSCO10000' and
after
incrementing the value to 'WSCO10001' or 'WSCO10002' will download the
receipt
of other orders which have been placed by other users.
All the available order receipts can be downloaded by running an automated
tool
(Burp Intruder) on the parameter 'orderId=WSCOXXXXX'
I have successfully tested this by using 2 different accounts: DemoCustomer
and
DemoCustomer2
An attacker can download order receipts of other users and this could lead
to
information disclosure.
The only real solution to this issue is to implement access control. The
user
needs to be authorized for the requested information before the server
provides
it.
Thanks: Harshit Shukla [mailto:harshit.sh...@gmail.com]reported this IDOR
vulnerability to the OFBiz security team, and we thank him for that.
---
.../groovyScripts/order/OrderViewWebSecure.groovy | 22 +++++
.../order/widget/ordermgr/OrderPrintScreens.xml | 103 ++++++++++++---------
2 files changed, 82 insertions(+), 43 deletions(-)
diff --git a/applications/order/groovyScripts/order/OrderViewWebSecure.groovy
b/applications/order/groovyScripts/order/OrderViewWebSecure.groovy
index fd38170..c5bdd5b 100644
--- a/applications/order/groovyScripts/order/OrderViewWebSecure.groovy
+++ b/applications/order/groovyScripts/order/OrderViewWebSecure.groovy
@@ -21,6 +21,9 @@ import org.apache.ofbiz.order.order.OrderContentWrapper
orderHeader = context.orderHeader
+// can anybody view an anonymous order? this is set in the screen widget and
should only be turned on by an email confirmation screen
+allowAnonymousView = context.allowAnonymousView
+
// if orderHeader is null in OrderView.groovy then it is not null but void
here!
if (orderHeader) {
// set hasPermission, must always exist if the orderHeader != null
@@ -44,9 +47,28 @@ if (orderHeader) {
hasPermission = true
}
}
+ // This is related with OFBIZ-11836 "IDOR vulnerability in the order
processing feature"
+ if (parameters.localDispatcherName.equals("ecommerce")) {
+ List errMsgList = []
+ if (orderHeader.createdBy.equals(person.partyId)
+ || ("anonymous".equals(orderHeader.createdBy) &&
"Y".equals(allowAnonymousView))) {
+ hasPermission = true
+ canViewInternalDetails = true
+ } else {
+ hasPermission = false
+ canViewInternalDetails = false
+ errMsgList.add("It's not an error : you are not allowed to view
this!")
+ showErrorMsg = "Y"
+ }
+ request.setAttribute("_ERROR_MESSAGE_LIST_", errMsgList)
+ context.showErrorMsg = showErrorMsg
+ }
+
context.hasPermission = hasPermission
context.canViewInternalDetails = canViewInternalDetails
orderContentWrapper =
OrderContentWrapper.makeOrderContentWrapper(orderHeader, request)
context.orderContentWrapper = orderContentWrapper
+
+
}
diff --git a/applications/order/widget/ordermgr/OrderPrintScreens.xml
b/applications/order/widget/ordermgr/OrderPrintScreens.xml
index 367eeba..079c812 100644
--- a/applications/order/widget/ordermgr/OrderPrintScreens.xml
+++ b/applications/order/widget/ordermgr/OrderPrintScreens.xml
@@ -27,55 +27,72 @@ under the License.
<screen name="OrderPDF">
<section>
<actions>
- <set field="titleProperty" value="OrderOrder"/>
- <property-map resource="OrderUiLabels" map-name="uiLabelMap"
global="true"/>
- <property-map resource="AccountingUiLabels"
map-name="uiLabelMap" global="true"/>
- <property-map resource="ProductUiLabels" map-name="uiLabelMap"
global="true"/>
+ <set field="titleProperty" value="OrderOrder" />
+ <property-map resource="OrderUiLabels" map-name="uiLabelMap"
global="true" />
+ <property-map resource="AccountingUiLabels"
map-name="uiLabelMap" global="true" />
+ <property-map resource="ProductUiLabels" map-name="uiLabelMap"
global="true" />
- <script
location="component://order/groovyScripts/order/OrderView.groovy"/>
+ <script
location="component://order/groovyScripts/order/OrderView.groovy" />
+ <script
location="component://order/groovyScripts/order/OrderViewWebSecure.groovy" />
</actions>
<widgets>
- <decorator-screen name="FoReportDecorator"
location="component://common/widget/CommonScreens.xml">
- <!-- at the top left of every page we put the logo and
company information -->
- <decorator-section name="topLeft">
- <section>
- <widgets>
- <include-screen name="CompanyLogo"
location="component://order/widget/ordermgr/OrderPrintScreens.xml"/>
- </widgets>
- </section>
- </decorator-section>
- <!-- at the top right of every page we put the order
information -->
- <decorator-section name="topRight">
- <section>
- <widgets>
- <platform-specific>
- <xsl-fo><html-template
location="component://order/template/order/OrderReportHeaderInfo.fo.ftl"/></xsl-fo>
- </platform-specific>
- </widgets>
- </section>
- </decorator-section>
- <decorator-section name="body">
- <section>
- <widgets>
- <!-- the contach mechanisms, terms, payment
and shipping methods are shown in the first page -->
- <platform-specific>
- <xsl-fo><html-template
location="component://order/template/order/OrderReportContactMechs.fo.ftl"/></xsl-fo>
- </platform-specific>
- <!-- order items and totals -->
- <platform-specific>
- <xsl-fo><html-template
location="component://order/template/order/OrderReportBody.fo.ftl"/></xsl-fo>
- </platform-specific>
- <!-- return policies and notes are shown in
the last page -->
- <platform-specific>
- <xsl-fo><html-template
location="component://order/template/order/OrderReportConditions.fo.ftl"/></xsl-fo>
- </platform-specific>
- </widgets>
- </section>
- </decorator-section>
- </decorator-screen>
+ <section>
+ <condition>
+ <if-compare operator="equals" value="true"
field="hasPermission" />
+ </condition>
+ <widgets>
+ <decorator-screen name="FoReportDecorator"
location="component://common/widget/CommonScreens.xml">
+ <!-- at the top left of every page we put the logo
and company information -->
+ <decorator-section name="topLeft">
+ <section>
+ <widgets>
+ <include-screen name="CompanyLogo"
location="component://order/widget/ordermgr/OrderPrintScreens.xml" />
+ </widgets>
+ </section>
+ </decorator-section>
+ <!-- at the top right of every page we put the
order information -->
+ <decorator-section name="topRight">
+ <section>
+ <widgets>
+ <platform-specific>
+ <xsl-fo>
+ <html-template
location="component://order/template/order/OrderReportHeaderInfo.fo.ftl" />
+ </xsl-fo>
+ </platform-specific>
+ </widgets>
+ </section>
+ </decorator-section>
+ <decorator-section name="body">
+ <section>
+ <widgets>
+ <!-- the contach mechanisms, terms,
payment and shipping methods are shown in the first page -->
+ <platform-specific>
+ <xsl-fo>
+ <html-template
location="component://order/template/order/OrderReportContactMechs.fo.ftl" />
+ </xsl-fo>
+ </platform-specific>
+ <!-- order items and totals -->
+ <platform-specific>
+ <xsl-fo>
+ <html-template
location="component://order/template/order/OrderReportBody.fo.ftl" />
+ </xsl-fo>
+ </platform-specific>
+ <!-- return policies and notes are
shown in the last page -->
+ <platform-specific>
+ <xsl-fo>
+ <html-template
location="component://order/template/order/OrderReportConditions.fo.ftl" />
+ </xsl-fo>
+ </platform-specific>
+ </widgets>
+ </section>
+ </decorator-section>
+ </decorator-screen>
+ </widgets>
+ </section>
</widgets>
</section>
</screen>
+
<screen name="CompanyLogo">
<section>
<actions>
