Security Modification to Admin User.
Posted: Wed Feb 03, 2010 7:23 am
There have been recent posts on security sites regarding vulnerability of AlegroCart to site cross scripting to change admin password. 
Yes is is possible, if you are logged in as admin, and you go to a site link that has the proper HTML form to modify you admin password it could happen.
This modification will prevent that situation. It has two parts.
It checks that the referer, which is where the form is submitted from is that same as your domain.
The form now has a MD5 validation field, which is compared to the validation field held in a session. NO match, No Update.
This validation field is changed every time the form is requested and deleted when the form is processed.
This security modification applies to add, update, and delete users.
The attached zip has three replacement files.
These will be included in Version 1.2
Yes is is possible, if you are logged in as admin, and you go to a site link that has the proper HTML form to modify you admin password it could happen.
This modification will prevent that situation. It has two parts.
It checks that the referer, which is where the form is submitted from is that same as your domain.
The form now has a MD5 validation field, which is compared to the validation field held in a session. NO match, No Update.
This validation field is changed every time the form is requested and deleted when the form is processed.
This security modification applies to add, update, and delete users.
The attached zip has three replacement files.
These will be included in Version 1.2