Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

HELP! Major Security Fault On My Installation


Guest

Recommended Posts

Hello,

 

Can anyone tell me why this is happening... I've had to close the

site while I work out whats going on...

 

Sometimes people are placing orders without an account and it's shoing up on someone elses account. Is it a problem with the BUY NOW option?

 

===========================================

I have revisited your site in order to try to work out how the error occurred.

 

In reply to your request for an explanation as to how I made an order with

your company causing the order to be processed throuugh someone else's

account. This is what I did in order to buy the phone cover.

 

I selected the phone cover I wanted and said that I wanted to buy it. I now

know that I should have been told that I must create an account. I was not

asked to do this yesterday.

 

After stating that I wanted to buy the phone cover I began to fill in my

details.

 

There was already a shipping address. I cannot remember the name and address

but it was definitely female and we think it might have been Alison. At the

time I thought it was strange but thought that it was a fictitious name and

address.

 

I did not know what to do as it seemed peculiar to have a name and address

already there. I changed the shipping address to mine so that the shipping

address and the delivery address were both mine. I filled in my bank details

as I usually do when using the Internet.

 

How can we see someone else's address?

 

Is someone else now going to have my name and address?

 

I logged on to your site again a few minutes ago and this time I was told I

could not buy the phone cover as I did not have an account. So I created an

account tonight to follow the process through. I did not actually order

anything tonight it was simply an exercise.

 

The answer to the question as to how I managed to order something using

someone else's account seems to be the fact that I was allowed to order

without creating an account of my own and was put through to the account of

another customer.

===============================================

 

I also have another response from a customer...

 

===============================================

Yes I did. I found the page via Google, but must admit that I was surprised

to see other address details in there. I was careful to put in my correct

address and card details.

 

I would flag that you have a security problem if Google can pick up web

pages which logically should only be available to the logged in party.

===============================================

 

Anyone know why this is happening?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...