Summary
All update/delete endpoints verify role permissions but never check resource ownership. Any user with updateProduct/updateOrder permission can modify ANY user's resources.
Key Findings (12 total, MEDIUM severity)
- Orders::update/printDiv — modify/view any order without ownership check
- Products::update — modify any product
- Users::edit/delete — edit/delete any user account
- Users::setting — privilege escalation via POST group parameter
- Category/Stores/Attributes::update — modify any record
- Unprotected AJAX endpoints (getProductValueById, fetchProductData)
Root Cause
Controllers check in_array('updateResource', $this->permission) but never validate the resource belongs to the current user. All model queries use the URL-supplied ID directly.
Fix
Add ownership check after permission check: verify $resource['user_id'] == $current_user before allowing modifications.
Summary
All update/delete endpoints verify role permissions but never check resource ownership. Any user with updateProduct/updateOrder permission can modify ANY user's resources.
Key Findings (12 total, MEDIUM severity)
Root Cause
Controllers check
in_array('updateResource', $this->permission)but never validate the resource belongs to the current user. All model queries use the URL-supplied ID directly.Fix
Add ownership check after permission check: verify
$resource['user_id'] == $current_userbefore allowing modifications.