Data Leak found In Fooman Magento Extensions

0

Popular Magento Extension developer Fooman has been informed of a security vulnerability in their Magento extensions. It is recommended that all existing Magento stores upgrade any Fooman extension they have immidiately. This also applies to their most popular extensions like PDF Customizer, which almost any store runs (Check yours as well!).

Issue

The issue with the data leak seems to be that anyone is able to view the invoices and orders of Magento stores using the plugin. This is of course a very serious issue as it basically means all orders are visible to the public. To check the order:

http://magentostore.com/sales/guest/printInvoice/invoice_id/*/

Change the asterisk to an order id, and you’ll be able to view the entire order and it’s information. This also means people can make a small order, check what their order id is, and then reverse all orders from there.

Solution

To solve the data leak it’s recommended to update your Fooman extensions as the company has already released a patch that fixes the security vulnerability.

If you can’t update the Fooman extensions for any reason it is recommended to have a Magento developer solve it for you. This can be done by altering the code of the guest plugins in the Fooman extension and check the

$this->orderViewAuthorization->canView($invoiceOrder)

for the order.

This will ensure the orders can no longer be viewed by anyone just by changing the order ID in the url of your Magento store. It is still highly recommended to upgrade the extension as soon as possible. If you have any other questions please do not hesitate to use the comment section below.

Share.

Leave A Reply