cancel
Showing results for 
Search instead for 
Did you mean: 

Changing ID get any invoice security issue

SOLVED

Changing ID get any invoice security issue

I've git a big security issue. When a customer logs into his account he can print his invoice as a pdf if he go to his order. He gets this Link: sales/order/printInvoice/invoice_id/12345/

 

If he change the id at the end, he gets every invoice. The invoices from other customers, too.

Worst case he can get every invoice the shop created in the past with changing the id.

Has someone an idea why this is possible? I think there must be a code which looks, if the customer got rights to open the invoice. Is this a security issue from magento, or could it be a problem from a modul?

(I made the same topic in german: https://community.magento.com/t5/German/Rechnungen-per-ID-%C3%A4ndern/m-p/89576#M3329)

Best regards

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Changing ID get any invoice security issue

I found the problem by myself. It was a bug in an extension. I wrote to the support to inform them to change it.

They overwrite in there extension the function printInvoiceAction, with there own function. But they forget to build in this:

if ($this->_canViewOrder($order)) {

}

View solution in original post

3 REPLIES 3

Re: Changing ID get any invoice security issue

Hi @msvp,

 

I've tested with Magento 1.9.2.2 with all the patches applied and I can't reproduce the issue you've mentioned.

WHich version are you using?

Re: Changing ID get any invoice security issue

Actually we use 1.9.2.4  - but I think it could be a problem of an extension.... Do you have an idea which File could be responsible?

Re: Changing ID get any invoice security issue

I found the problem by myself. It was a bug in an extension. I wrote to the support to inform them to change it.

They overwrite in there extension the function printInvoiceAction, with there own function. But they forget to build in this:

if ($this->_canViewOrder($order)) {

}