[Interchange-bugs] [Bug 71] Changed - admin ui order entering thingy can create a user with a blank id
bugzilla-daemon@localhost.akopia.com
bugzilla-daemon@localhost.akopia.com
Thu, 22 Mar 2001 19:13:11 -0500
http://developer.akopia.com/bugs/show_bug.cgi?id=71
*** shadow/71 Thu Jan 11 23:17:01 2001
--- shadow/71.tmp.17890 Thu Mar 22 19:13:11 2001
***************
*** 5,17 ****
OS/Version: Linux
Status: ASSIGNED
Resolution:
! Severity: normal
Priority: P2
Component: UI
AssignedTo: mike@minivend.com
ReportedBy: sonny@akopia.com
URL:
- Cc:
Summary: admin ui order entering thingy can create a user with a blank id
replicate:
--- 5,16 ----
OS/Version: Linux
Status: ASSIGNED
Resolution:
! Severity: major
Priority: P2
Component: UI
AssignedTo: mike@minivend.com
ReportedBy: sonny@akopia.com
URL:
Summary: admin ui order entering thingy can create a user with a blank id
replicate:
***************
*** 32,34 ****
--- 31,46 ----
At any rate, we shouldn't go around generating blank user ids for new customers
Also, this ui seems to be placed rather poorly.
+
+ ------- Additional Comments From rphipps@reliant-solutions.com 2001-03-22 19:13 -------
+ In addition to automaticalling logging on this also allows a customer to view
+ the last customer's, who ordered, information including their address, phone,
+ email and other information found in the logout screen (luckily not the CC).
+ We just had this happen on our system and it was due to a blank user being
+ created through the UI using the order desk. I think two stops should be put
+ in place, require the Customer ID on the Order Desk AND do not allow a blank
+ username as a proper login when checking for credentials. This way if a blank
+ username creaps into the system in another way it will atleast not be valid for
+ logging on. We lost about 5 orders yesterday due to this bugs and others have
+ decided not to order because they are in fear of their information being
+ exploited.