[24520] in bugtraq
iBuySpy store hole
daemon@ATHENA.MIT.EDU (Tom Gilder)
Sun Mar 3 16:10:49 2002
Date: Sun, 3 Mar 2002 12:27:52 +0000
From: Tom Gilder <tom@tom.me.uk>
Reply-To: Tom Gilder <tom@tom.me.uk>
Message-ID: <43162508028.20020303122752@tom.me.uk>
To: bugtraq@securityfocus.com
Resent-From: Tom Gilder <tom@tom.me.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
OK, not exactly a real hole as it's just an example site - but on
Microsoft's example .NET store at http://www.ibuyspystore.com/
(developed by Vertigo Software), it is easily possible to view other
people's orders.
Simply login to the site as anything, and browse to
http://www.ibuyspystore.com/orderdetails.aspx?OrderID=8000 - that's
one of my (very expensive) orders. Change the OrderID parameter to
view other orders. As this is a site for spies, I doubt they'd be too
happy about anyone being able to view what they ordered...
MS have encouraged developers to view and copy the code for their own
projects, so this is worth pointing out if anyone is using the code as
a base.
This needs a simple check to see if the logged in user was the person
who originally placed the order.
More information about iBuySpy is available at
http://www.asp.net/default.aspx?tabindex=3&tabid=42
--
Tom Gilder
tom@tom.me.uk
