Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Security problem - users seeing each other's carts and profiles Rate Topic   - - - - -

 
  • baba-studio
  • Junior Member
  • Members
  • Join Date: 22-Jan 08
  • 15 posts

Posted 22 November 2009 - 03:19 PM #1

On Friday evening I was asked by a buyer to change her cart. So I logged in and did "act on behalf of" then logged out and carried on.

However, since then, it seems if there are two or more users on the site at once they are seeing each other's carts and profiles. I've been fairly much bombarded with emails from customers about this. I've checked it myself and it's true - when I log on I can see all the details of one of the other users - as though I was "acting on behalf of", though I'm not!

I've tried logging myself out completely, and various other simple ways of perhaps fixing the problem - nothing has helped.

It's disastrous at this time of the year to scare customers away and especially so as I'd just sent out a newsletter - which always results in a lot of visits to the shop. We were upgraded by CS-Cart to V2 a couple of months ago so I assume this is a V2 bug. I think we're on 2.06 (need to check).

Has anyone else had this problem and please is there any fix I can put in myself for now? I don't think support are working today.

Many thanks,

Karen

baba-store.com (as you can see, we have had to close the cart).

 
  • baba-studio
  • Junior Member
  • Members
  • Join Date: 22-Jan 08
  • 15 posts

Posted 22 November 2009 - 07:16 PM #2

Just to give more information. It gets worse. One customer reported seeing my quantity discounts which are only visible to wholesalers. This seems to have happened because one wholesaler logged in. Another found that the currency display was changing according to what other users were setting it to.

I have closed the shop until this is sorted as I can't risk customers' security. I am also spending most of the evening writing emails to some customers who have been worried by this. It really is about the most catastrophic bug a shopping cart can have. Surely CS-Cart needs some sort of out of hours support to deal with stuff like this?

If anyone has found the cause and the fix for this, do please let me know.

 
  • baba-studio
  • Junior Member
  • Members
  • Join Date: 22-Jan 08
  • 15 posts

Posted 23 November 2009 - 10:57 AM #3

I have had absolutely no response from the support desk, though we do pay for support.

This is an urgent and serious security problem on our cart and I can't re-open until it's solved.

Not impressed - I expected at least a "we're working on it" response.

 
  • The Tool
  • Been Here Way Too Long Member
  • Members
  • Join Date: 30-Mar 07
  • 3848 posts

Posted 23 November 2009 - 11:49 AM #4

If you are on 2.0.6 then maybe the updates will solve your problem.? If the shop is down, you don't have anything to lose by updating.

Edit: I just checked your version and you are on CS-CART: version 2.0.6. The current version is 2.0.8.

 
  • baba-studio
  • Junior Member
  • Members
  • Join Date: 22-Jan 08
  • 15 posts

Posted 26 November 2009 - 09:45 AM #5

Thanks for your help - appreciated. I did finally get a response from support and they seemed to have fixed it. However, today the same problem is happening and I've already had two complaints from customers.

I have suggested that an upgrade to 2.08 might solve this, but no response as yet.