Solved: Changing ID get any invoice security issue

msvp · ‎03-12-2018

I've git a big security issue. When a customer logs into his account he can print his invoice as a pdf if he go to his order. He gets this Link: sales/order/printInvoice/invoice_id/12345/

If he change the id at the end, he gets every invoice. The invoices from other customers, too.

Worst case he can get every invoice the shop created in the past with changing the id.

Has someone an idea why this is possible? I think there must be a code which looks, if the customer got rights to open the invoice. Is this a security issue from magento, or could it be a problem from a modul?

(I made the same topic in german: https://community.magento.com/t5/German/Rechnungen-per-ID-%C3%A4ndern/m-p/89576#M3329)

Best regards

msvp · ‎04-03-2018

I found the problem by myself. It was a bug in an extension. I wrote to the support to inform them to change it.

They overwrite in there extension the function printInvoiceAction, with there own function. But they forget to build in this:

if ($this->_canViewOrder($order)) {

}

View solution in original post

Damian Culotta · ‎03-21-2018

Hi @msvp,

I've tested with Magento 1.9.2.2 with all the patches applied and I can't reproduce the issue you've mentioned.

WHich version are you using?

msvp · ‎04-03-2018

Actually we use 1.9.2.4 - but I think it could be a problem of an extension.... Do you have an idea which File could be responsible?

msvp · ‎04-03-2018

I found the problem by myself. It was a bug in an extension. I wrote to the support to inform them to change it.

They overwrite in there extension the function printInvoiceAction, with there own function. But they forget to build in this:

if ($this->_canViewOrder($order)) {

}

Changing ID get any invoice security issue

Changing ID get any invoice security issue

Re: Changing ID get any invoice security issue

Re: Changing ID get any invoice security issue

Re: Changing ID get any invoice security issue

Re: Changing ID get any invoice security issue