Easyshop icon indicating copy to clipboard operation
Easyshop copied to clipboard

Published 20 hours ago verified publisher icon ned14

Security issues

Open ned14 opened this issue 14 years ago • 0 comments

http://code.google.com/p/easyshop-for-plone/issues/detail?id=43

Reported by [email protected], Apr 20, 2010 There are some security issues with easyShop.

[ ISSUE 1 ] First problem, any user can access any users cart. To do so, they just have to call that URL directly: http://urltoyour/shop/carts// (where is replaced by a username)

[ ISSUE 2 ] Any user can access any users last orders http://urltoyour/shop/customers//my-orders

There might be some other security issues that work like this!

[ ISSUE 3 ] Everyone can access intern system information by adding "base_view" to some URLs. For example: http://urltoyour/shop/base_view This will show e-mail addresses, PayPal-ID and other informations of the shop, which might not be want to be public.

ned14 avatar Jun 27 '10 12:06 ned14