Security fails in old magento : your customer informations in danger

25 avril 2012

Today i’ve recieved a message from the french Magento community : Fragento. A bug has been finded this morning.

There’s a security fails in the Magento community edition less than 1.3.3.0 and the enterprise verion less than 1.6

With this, your client expose his firstname, lastname, civility, enteprise, phone number, fax, adress (street,postalcode, city, region, country), the date of creation and of update of your clients.

It works really (i have tested too). Don’t forget to apply the patch if you are concerned.

How to reproduce it ? it’s realy simple. Add a product to your cart and go on the first step of the checkout (where you can loggin) and try to go here :

yourwebsite.com/checkout/onepage/getAddress/address/55 (remplace 55 by the id of your the customer you want)

How to solve this ?

remplace the function in app/code/core/Mage/Checkout/controllers/OnepageController.php

/**
* Address JSON
*/
public function getAddressAction()
{
    if ($this->_expireAjax()) {
        return;
    }
    $addressId = $this->getRequest()->getParam('address', false);
    if ($addressId) {
        $address = $this->getOnepage()->getAddress($addressId);
        if(Mage::getSingleton('customer/session')->getCustomer()->getId() == $address->getCustomerId()) {
             $this->getResponse()->setHeader('Content-type','application/x-json');
             $this->getResponse()->setBody($address->toJson());
        } else {
             $this->getResponse()->setHeader('HTTP/1.1','403 Forbidden');
        }
    }
}

To khnow more about this pdf (in french) go on Fragento Community Forum.

You should read this too :
  • No Related Post
Vous aussi donnez votre avis
(requis)



Expert magento sur Lille - Pierre FAY