AlegroCart open source E-commerce
Web hosting by Host1Plus

Security Modification to Admin User.

Enter AlegroCart Bugs Here, but if you're not certain, post in General support first.

Security Modification to Admin User.

Postby Brent » Wed Feb 03, 2010 7:23 am

There have been recent posts on security sites regarding vulnerability of AlegroCart to site cross scripting to change admin password. :o

Yes is is possible, if you are logged in as admin, and you go to a site link that has the proper HTML form to modify you admin password it could happen. :?:

This modification will prevent that situation. It has two parts.
It checks that the referer, which is where the form is submitted from is that same as your domain.

The form now has a MD5 validation field, which is compared to the validation field held in a session. NO match, No Update. :D
This validation field is changed every time the form is requested and deleted when the form is processed.
This security modification applies to add, update, and delete users.

The attached zip has three replacement files.
These will be included in Version 1.2
Attachments
securityupload.zip
(6 KiB) Downloaded 470 times
User avatar
Brent
Site Admin
 
Posts: 4365
Joined: Sat Dec 12, 2009 3:35 pm
Location: Canada eh

Return to Bug Reports

Who is online

Users browsing this forum: No registered users and 1 guest

cron