Al Brookbanks Posted December 15, 2010 Share Posted December 15, 2010 Today it has been brought to our attention that personal information could be disclosed via the "Printable Order Form" module in CubeCart version 4 *if* the URL to it somehow gets spidered by a search engine. Strictly speaking this is impossible unless someone has copied and pasted the link into a public web page but even so it is important to patch to prevent a customer doing so in ignorance. This patch forces the print order form to check that the customer ID associated to the order matches the one stored in the session. If it doesn't it will redirect the visitor to the homepage. The patch will prevent any details that have already been spidered by search engines not to be displayed. From our research this has only happened to one CubeCart store customers order out of the millions. Manual Code Patch Open modules/gateway/Print_Order_Form/orderForm.inc.php Find at around line 46:$orderSum = $order->getOrderSum($_GET['cart_order_id']); Under this add: // Session id MUST match customer ID of order if($cc_session->ccUserData['customer_id']!==$orderSum['customer_id']) { httpredir("index.php"); } Patched File Please upload the attached file below over your existing file at modules/gateway/Print_Order_Form/orderForm.inc.php orderForm.inc.php Security is our number one priority. We are pleased to say that this patch has been released within an hour from the time it was first reported. Link to comment Share on other sites More sharing options...
Recommended Posts