Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

iBuySpy store hole

From: Tom Gilder <tom () tom me uk>
Date: Sun, 3 Mar 2002 12:27:52 +0000
OK, not exactly a real hole as it's just an example site - but on
Microsoft's example .NET store at http://www.ibuyspystore.com/
(developed by Vertigo Software), it is easily possible to view other
people's orders.

Simply login to the site as anything, and browse to
http://www.ibuyspystore.com/orderdetails.aspx?OrderID=8000 - that's
one of my (very expensive) orders. Change the OrderID parameter to
view other orders. As this is a site for spies, I doubt they'd be too
happy about anyone being able to view what they ordered...

MS have encouraged developers to view and copy the code for their own
projects, so this is worth pointing out if anyone is using the code as
a base.

This needs a simple check to see if the logged in user was the person
who originally placed the order.

More information about iBuySpy is available at
http://www.asp.net/default.aspx?tabindex=3&tabid=42

-- 
Tom Gilder
tom () tom me uk
Previous By Date Next
Previous By Thread Next

Current thread: