BOPLA - Excessive Data Exposure on Order Details
TaintedPort
Vuln ID
TP-024
Title
BOPLA - Excessive Data Exposure on Order Details
Severity
high
Type
Data Exposure
HTTP Method
GET
URL
/orders/:id
Parameter
id
Filename
-
Code Location
backend/api/models/Order.php lines 99-101
Description
The order detail endpoint JOINs with users table and returns password_hash, totp_secret, and is_admin flag in the response.
Proof of Concept
GET /orders/1 — response includes owner_password_hash, owner_totp_secret.Remediation
Only SELECT fields needed for display (name, email). Never expose password_hash or totp_secret.