Skip to content
This repository has been archived by the owner on Apr 17, 2020. It is now read-only.

[vulnerability] The ability to grab any address in the database through the checkout process #53

Closed
AdnanTheExcellent opened this issue Apr 11, 2013 · 6 comments
Closed

[vulnerability] The ability to grab any address in the database through the checkout process #53

AdnanTheExcellent opened this issue Apr 11, 2013 · 6 comments

Comments

@AdnanTheExcellent
Copy link

In the checkouts controller, there is a before_filter called "set_addresses" which decides whether to use the id on a selected address from the address book, or a new address hash from the form. However, there is no check to make sure that the current_user actually owns that address_id.

def set_addresses
    return unless params[:order] && params[:state] == "address"

    if params[:order][:ship_address_id].to_i > 0
      params[:order].delete(:ship_address_attributes)
    else
      params[:order].delete(:ship_address_id)
    end

    if params[:order][:bill_address_id].to_i > 0
      params[:order].delete(:bill_address_attributes)
    else
      params[:order].delete(:bill_address_id)
    end

  end

one could tamper with the radio buttons and permutate through the possible address ids in the selected radio button in the form and continue to payment, which would allow them to be able to grab all the addresses from the database. In the process, all the addresses will now link to that users account, instead of the original users account.

This is a pretty big security risk and should be patched as soon as possible. . My project is heavily modified so i unfortunately don't have a fix for this gem that i can merge. Something like the following should be a good lead to fixing the issue:

def set_addresses
    return unless params[:order] && params[:state] == "address"

    if params[:order][:ship_address_id].to_i > 0
      params[:order].delete(:ship_address_attributes)
      if Spree::Address.find(params[:order][:ship_address_id]).user != spree_current_user
          #raise some error
      end
    else
      params[:order].delete(:ship_address_id)
    end

    if params[:order][:bill_address_id].to_i > 0
      params[:order].delete(:bill_address_attributes)
      if Spree::Address.find(params[:order][:bill_address_id]).user != spree_current_user
          #raise some error
      end
    else
      params[:order].delete(:bill_address_id)
    end

  end
@iloveitaly
Copy link
Member

Could you convert your suggested edit into a pull request so the @romul can more easily get this fixed merged in?

@AdnanTheExcellent
Copy link
Author

@iloveitaly I dont have a fix i can merge. That was really just code that explains what i would do to fix it. I was messing around with this gem in development today and noticed that vulnerability.

@jumph4x
Copy link
Contributor

jumph4x commented Apr 12, 2013

On it. I'll take care of this.

jumph4x added a commit that referenced this issue Apr 12, 2013
@jumph4x
[VULN] Fixing #53
d3fad92
@jumph4x
Copy link
Contributor

jumph4x commented Apr 12, 2013

I threw up the suggested fix up there as an emergency. No test attached yet. If someone wants to do this, please do.

jumph4x added a commit that referenced this issue Apr 12, 2013
@jumph4x
[VULN] Fixing #53
1e15645
@jumph4x
Copy link
Contributor

jumph4x commented Apr 12, 2013

Keeping this open as a reminder to write a test. Running into trouble with rake test_app... ugh.

jumph4x added a commit that referenced this issue Apr 12, 2013
@jumph4x
[VULN] Fixing #53
c4eccbb
@iloveitaly iloveitaly mentioned this issue Jul 13, 2014
Open
3 tasks
@iloveitaly
Copy link
Member

Closing this out, moving to #73

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jumph4x @iloveitaly @AdnanTheExcellent