OK, not exactly a real hole as it's just an example site - but on Microsoft's example .NET store at http://www.ibuyspystore.com/ (developed by Vertigo Software), it is easily possible to view other people's orders. Simply login to the site as anything, and browse to http://www.ibuyspystore.com/orderdetails.aspx?OrderID=8000 - that's one of my (very expensive) orders. Change the OrderID parameter to view other orders. As this is a site for spies, I doubt they'd be too happy about anyone being able to view what they ordered... MS have encouraged developers to view and copy the code for their own projects, so this is worth pointing out if anyone is using the code as a base. This needs a simple check to see if the logged in user was the person who originally placed the order. More information about iBuySpy is available at http://www.asp.net/default.aspx?tabindex=3&tabid=42 -- Tom Gilder tomat_private
This archive was generated by hypermail 2b30 : Sun Mar 03 2002 - 13:10:32 PST