VirtueMart Developer Portal
About  
 
   
   
[BUG-2195]  -  User data is visible for anonymous
Tags:   No tags associated yet.
All Tags...
Go Back
  0  
 Tracker:  Bug  Priority:  Highest  Status:  Closed
 Resolution:  Fixed  Owner:  --  Severity:  Blocker
 Submitted by:  kaltokri Jun 27 2008 15:21  Assigned to:  --  Modified by:  soeren_nb Sep 19 2008 20:30
 Category:  Security  Platform:  --  OP-SYS:  Linux
 Version:  VirtueMart 1.1.1  Joomla! Version:  Joomla! >= 1.0.13  Browser Version:  --
 Fixed in Version:  VirtueMart 1.1.2
Description:
Hi,

if you add a product to the cart (without being logged in), klick on show cart and next you can see user details from another user. It is not the user of the last order. I've deleted the shown user but the data is still shown.

Please help me urgent, because the user is angry!!!!!!!!!!!!!!!

See also:

http://forum.virtuemart.net/index.php?topic=42325.0

http://forum.virtuemart.net/index.php?topic=42181.0

Details:
Comments (10)
Attachments (0)
Associations (0)
SCM Commits (1)
All (11)

Submitted Comment
Aravot
Jul 24 2008 09:14
This should be fixed in SVN 1484, please test before we release VM 1.1.2
kaltokri
Jul 11 2008 15:21
As far as i know: If you have the problem it is to late. You need to delete all users with id=0 in the database to solve the problem. Or change the id to somthing else if it is possible. The new version of PS_SHOPPER.PHP should prevent users to become id=0, not solve existing problems. It is available in SVN.
ppeeters
Jul 11 2008 15:10
Where is the PS_SHOPPER.PHP file?

Unregistered user sees the billing adres of the first registered user. This user is the famous user id 0 ....and it's very very annoying and frustrating

Help, thanxz

Patrick
soeren_nb
Jun 30 2008 21:10
I've checked in a new version of the file ps_shopper.php now, which prevents insertion of a user with the ID 0 into the table "jos_vm_user_info". Could you please update and check if this happens again? There are no other dependencies, so you can also just update this file without crashing anything else.
GTWillemsen
Jun 30 2008 13:52
Database problem exactly the same; table jos_vm_user_info where user_id == 0

this had 1 result, deleting this solved the problem. >note: some way a user had placed an order without any shipment data.
GTWillemsen
Jun 30 2008 13:14
"Or have all of your users been created using that user type?"

Normal account creation now (after update), before (old vm), silent not active, J! registration allowed: yes, J1 new registration mandatory: yes.

Changing the current setting to silent doesn't change anything.
GTWillemsen
Jun 30 2008 13:10
Verified: After updateing/migrating a J!-1.0.x + VM-1.0.15 site to J!-1.5 + VM-1.1.0/1.1.1

Doesn't seem to depend on user registration or cookies. The data shown is from just a user, not the first or last, just a random user. Deleting user from the userlist doesn't work.

Seems to be the result of the migration in this case?

I try the solution with the database (kaltokri)
kaltokri
Jun 28 2008 11:54
I use normal account creation without activation from installation time until now. I've never changed it. One of these accouts was from year 2007, the other i don't know.
gregdev
Jun 28 2008 01:30
What type of registration are you using? Did you use a certain registration type at first and then switch it? Or have all of your users been created using that user type?
kaltokri
Jun 27 2008 17:18
I found the error! In the database in the table jos_vm_user_info was a recordset with the informations of the user. In this recordset user_id was 0. Because of this it wasn't shown in administration users.

I've deleted this recordset and now another user was shown. This user has also the user_id 0. I've deleted this record too and now the problem is away.

But how can the user_id get 0?

All user_ifo with user_id 0 must be delete in checkout process. If the error occour again, i'll notice it maybe only because another customer tells it. This isn't good.

It is a heavy security risk. Which user want to register in a virtuemart shop, if he knows, that their information will maybe shown to the whole world?