Quote Originally Posted by Jarkko View Post
Hi everybody

There seems to be a security issue with Cowoa. I just tested with ZC 1.5.5 and Cowoa 2.7 (latest in Github):

1. Person A makes an order from Zen Cart using Cowoa checkout using email [email protected]
2. Person B user makes a new account to Zen Cart using the same email address [email protected]
3. Person B now sees order that Person A made in step 1. which is the security issue I am talking about

This is due to registering doesn't use email confirmation by default... It isn't normally a issue if someone registers with a faulty email they have no access to, not really a major issue. However when using Cowoa, this reveals sensitive data about users and their order history.

I am currently trying to figure how to fix this problem in my customers site, and basically I'm rather unsure how to fix it. I suppose email-confirmation must be required when cowoa-account exists before upgrading it to a normal account. Or mark orders to cowoa-orders, and not display them to a non-cowoa users.
I made a quick fix to this problem in my installation by modifying includes/modules/pages/account/header_php.php and includes/modules/pages/account_history/header_php.php with following line added to sql-query in both files:
Code:
AND    o.COWOA_order = 0
So account and account_history will only show orders that are not Cowoa-orders.

Also while testing I noticed that order_status -page can easily be brute-forced to give out information about orders for desired email. So I also took that feature off from the admin area, and deleted the includes/modules/pages/order_status -folder (since it kept working even after feature was disabled).