Vaapukkamies Posted January 11, 2023 Share Posted January 11, 2023 Hi, I have found possible vulnerability regarding order tracking. I found that the website's "order tracking for visitors" page reveals too much private information. The tracking page can be accessed by anyone without credentials from anywhere on the internet, as long as they know the values XXXXXXX and YYYYYYY. Although the page requires two values, XXXXXXX and YYYYY, completely correct to access the page, the page is completely open to everyone on the internet. Thus, cracking the value XXXXXX with the help of, say, an email list leaked from somewhere else (ie YYYYYY is known) should not be a very difficult task for bots. In this case XXXXXXX is the order's tracking number and YYYYYY is the recipient's email adress. If anyone has ideas how to fix this please share. Link to comment Share on other sites More sharing options...
TiaNex Shopping Posted January 11, 2023 Share Posted January 11, 2023 please check the site access log, most conditions you have installed some themes or modules,expecially some free copys Link to comment Share on other sites More sharing options...
joseantgv Posted January 23, 2023 Share Posted January 23, 2023 Could you please upload a screenshot from this page? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now