http://www.magentocommerce.com/bug-tracking/ en MagentoCommerce Copyright {gmt_date format="%Y"} {gmt_date format="%Y-%m-%dT%H:%i:%s%Q"} http://www.magentocommerce.com/bug-tracking/issue?issue=5722 Posted: 2009-03-30 10:52:56
Category: Single Page Checkout
Version: 1.2.1.2
Priority: urgent
Status: closed
Reported By: George Hodgson

If checking out with an account that has a shipping or billing address saved, the first thing that you do on the One Page Checkout is to select an address from the dropdown and choose whether to have the order shipped to that same address. (See attached picture)

When you click "Continue", a message is POSTed to http://demo.com/checkout/onepage/saveBilling/ via AJAX. One of the elements of the POST is "billing_address_id", which is the ID of the address that was selected from the dropdown menu.

Following that, another request is POSTed to http://demo.com/checkout/onepage/progress/ via AJAX, which returns the details of the address that was selected in the previous AJAX POST.

The store doesn't verify that the billing_address_id from the first AJAX POST is associated with the account that is logged in. Sending some other ID in the first AJAX POST can result in another customer's address and telephone number being exposed via the second AJAX POST.

I tried thumbing through the controller for the One Page Checkout, but I'm not familiar enough with the code to know where the proper place to put this check would be.

---

]]> #1 / Comment by Magento Team

Hello George Hodgson,

This issue was fixed. The changes will be available in the next bugfix release.

Thank you.]]>