InnoShop IDOR Vulnerability Allowing PII Disclosure and Review Deletion

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in InnoShop versions through 0.4.1. This vulnerability exists in multiple areas of the frontend shop, where users can exploit the system to access personal information of other customers and delete their product reviews. Specifically, an attacker can view order details by manipulating the order ID in the URL, access shipping and billing information of other customers by altering address ID parameters during the checkout process, and delete reviews of other users by sending a DELETE request with the review ID.

Impact

Exploitation of this vulnerability leads to unauthorized access to personal information of customers, including order details and shipping information, and allows for the deletion of product reviews belonging to other users.

Reproduction

To reproduce this vulnerability, create a customer account and place an order. After the order is confirmed, note the order ID, which is a numeric value based on the current date. Then, log in as a different user and access the order details by entering the order ID in the URL. This will reveal the order details of the first user, demonstrating the IDOR vulnerability. Additionally, the vulnerability can be exploited by manipulating shipping and billing address ID parameters during the checkout process to access other customers' information. The review deletion aspect can be reproduced by leaving reviews as different users and then using the DELETE request feature to remove reviews of other users.