Last week we found a data leak vulnerability in the Fooman Pdf Customizer. When researching some functionalities for one of our customers we discovered the following bug:
// De Nederlandse versie van dit bericht lees je hier. //
Guest users can view the invoices, shipments and creditmemos of other customers. The data is easy accessible when viewing the print url of your orderdata (https://webshop.test/sales/guest/printInvoice/invoice_id/*/). When a customer changes the asterix to an ID lower than his/her own it will show the data of other customers order. If you are the most recent invoice every ID below yours can be checked.
The bug was reported to Fooman first because of the potential customer data risk. Fooman released an update today and now is the correct time to inform all other Magento 2 shop owners. Fooman updated the module as soon as possible and we highly recommend installing this update.
If updating right now is not an option, then please alter the code of the Guest plugins in the Fooman PDF customizer to also check the $this->orderViewAuthorization->canView($invoiceOrder) for the invoiced order. We also created composer patcher for the leak. Patches can be found here:
Installing composer patches is explained here.
We highly recommend updating as soon as possible, given that the leak is now public and it is accessible even for non-developers.
///// Description of Bug for Fooman
When you compare the core checks to the one in the plugin like GuestPrintInvoice (FoomanPdfCustomiserPluginOrderGuestPrintInvoice) you see that the Magento core logic does a canView($order) check on the $order ($invoice->getOrder()) aswell. Same goes for the other guest implementations.
This issues a problem in data security when a customer visits his own printUrl (like: sales/guest/printInvoice/invoice_id/1113/) All he/she needs to do is change the id variable and he will see the invoice of another customer. This happens because the check is done on the Registy current_order and not on the invoice order. For my projects i have now refactored the code with a canView($invoiceOrder) check.
Also, the core MagentoSalesControllerAbstractControllerPrintInvoice redirects the customers to the sales/order/history page when logged in, and the sales/guest/form when not logged in. In my opinion this is better than the noroute that a customer now gets.
///// END of Description of Bug for Fooman