Security Modification to Admin User.

Enter AlegroCart Bugs Here, but if you're not certain, post in General support first.
Post Reply
User avatar
Brent
Site Admin
Posts: 4459
Joined: Sat Dec 12, 2009 3:35 pm
Location: Canada eh

Security Modification to Admin User.

Post by Brent » Wed Feb 03, 2010 7:23 am

There have been recent posts on security sites regarding vulnerability of AlegroCart to site cross scripting to change admin password. :o

Yes is is possible, if you are logged in as admin, and you go to a site link that has the proper HTML form to modify you admin password it could happen. :?:

This modification will prevent that situation. It has two parts.
It checks that the referer, which is where the form is submitted from is that same as your domain.

The form now has a MD5 validation field, which is compared to the validation field held in a session. NO match, No Update. :D
This validation field is changed every time the form is requested and deleted when the form is processed.
This security modification applies to add, update, and delete users.

The attached zip has three replacement files.
These will be included in Version 1.2
Attachments
securityupload.zip
(6 KiB) Downloaded 688 times

Post Reply