Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Potential Security Issue - Customer Accounts
 
golles
Sr. Member
 
Total Posts:  257
Joined:  2008-01-15
 

We have a fairly large security type issue.

On certain customer accounts when a customer logs in they can see other peoples orders in addition to their own listed in the account / orders panel. They can then click on the order and view name, billing address, delivery address, order information etc.

Is there any circumstances where anyone has seen this happen?

This is not on every account but we have had 4 reported to us so far and managed to log in as one customer customer after they agreed to us resetting their password and lo and behold there were other peoples orders listed under their account.

Any help would be appreciated.

thanks

 
Magento Community Magento Community
Magento Community
Magento Community
 
AnnaM
Guru
 
Avatar
Total Posts:  325
Joined:  2008-01-29
San Francisco
 

Thats pretty troubling news. Do you do anything to bring up these other customer info, or is it just there once you log on? Also please tell me what version you are using. I have no answers, but am quite concerned, and hope Magento is seeing this and has some reply. The more info you can give, the better.  I am still at 1.0987 and not seeing it unless you have to click something to make it happen? I also do not have but 3 or 4 reg customersr as we just started using it a week or so ago.

 
Magento Community Magento Community
Magento Community
Magento Community
 
golles
Sr. Member
 
Total Posts:  257
Joined:  2008-01-15
 

we are v1.1.3 but I am not sure if it was happening prior to v1.1.3 or indeed it is just something with our setup (although it is pretty standard)

When a customer logs into their account you have to click on the orders link to see the orders listed from other customers.

It is strange that it is not happening on every account - just the odd one.

 
Magento Community Magento Community
Magento Community
Magento Community
 
golles
Sr. Member
 
Total Posts:  257
Joined:  2008-01-15
 

ok - just had a thought

we did change our starting order number in the database to match our accounts system.

would this have any affect?

i have checked though and there are no duplicate order numbers or anything like that.

that i spretty much the only thing we have manually changed other than front end design.

 
Magento Community Magento Community
Magento Community
Magento Community
 
AnnaM
Guru
 
Avatar
Total Posts:  325
Joined:  2008-01-29
San Francisco
 

Hmm, tht wouldn’t suprise me, but I am far from expert. But there may be some pointers in the code that are now pointing to the wrong records or some such? LIke I say, just a guess, but it does sound at least like food for thought.  We need more people to tell us if this is happening to them or not before any logical conclusions or even educated guesses can be made.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top