Today it has been brought to our attention that personal information could be disclosed via the "Printable Order Form" module in CubeCart version 4 *if* the URL to it somehow gets spidered by a search engine. Strictly speaking this is impossible unless someone has copied and pasted the link into a public web page but even so it is important to patch to prevent a customer doing so in ignorance.
This patch forces the print order form to check that the customer ID associated to the order matches the one stored in the session. If it doesn't it will redirect the visitor to the homepage. The patch will prevent any details that have already been spidered by search engines not to be displayed.
From our research this has only happened to one CubeCart store customers order out of the millions.
Manual Code Patch
Open modules/gateway/Print_Order_Form/orderForm.inc.php
Find at around line 46:
$orderSum = $order->getOrderSum($_GET['cart_order_id']);Under this add:
Canal Rss
Canal Atom// Session id MUST match customer ID of order
if($cc_session->ccUserData['customer_id']!==$orderSum['customer_id']) {
httpredir("index.php");
}
orderForm.inc.php (9.94K)