Address leak/re-assignment
Problem Summary
Address Book Information Leakage - view any users addresses and change ownership
Steps to Reproduce
Log in. View Address book. Edit address - then changing the ID in the url allows for traversal of other entries.
Confirmed!
Fix:
Open: /includes/classes/class.account.php
Find:
Code: Select all
private function SaveEditedShippingAddress()
{
if (isset($_POST['shipid'])) {
Code: Select all
//MOD Test ownership
$this->DLCheckAddressOwnership($_POST['shipid']);
//MOD END
Code: Select all
private function EditShippingAddress($MsgDesc = "", $MsgStatus = "")
{
if (isset($_GET['address_id'])) {
Code: Select all
//MOD Test ownership
$this->DLCheckAddressOwnership($_GET['address_id']);
//MOD END
Code: Select all
}
Code: Select all
/*
* Check ownership of an address record and fail if someone is attempting
* to spoof the system and re-assign to their own account.
*/
private function DLCheckAddressOwnership($shipid) {
$dl_ship_id = (int)$shipid;
$query = sprintf("SELECT COUNT(shipid) AS VALUE FROM [|PREFIX|]shipping_addresses WHERE shipcustomerid='%d' AND shipid='%d'", $GLOBALS['ISC_CLASS_CUSTOMER']->GetCustomerId(), $dl_ship_id);
$res = $GLOBALS['ISC_CLASS_DB']->Query($query);
$count = $GLOBALS['ISC_CLASS_DB']->FetchOne($res);
if ($count != 1) {
// Bad details or they don't own the shipping address
ob_end_clean();
header(sprintf("location:%s/account.php", $GLOBALS['ShopPath'])); die();
}
return true;
}