1 Attachment(s)
Patch for Admin Privilege Escalation issue in v150-v155 (fixed in v155a)
It has come to our attention that there existed a potential admin privilege escalation issue whereby logged-in admin users of v1.5.0-to-v1.5.5 (before v1.5.5a) could change their own user profile permissions if they engaged in some hackery.
This only posed a risk when multiple admin users exist AND some have been assigned a profile restricting their privileges to disallow access to certain admin sections ... AND they have some malicious desire to gain access to changing settings or viewing data against which they've been restricted.
The fix is simple: copy the v155a version of /admin/admin_account.php to replace your existing /(your-renamed-admin)/admin_account.php file.
File is attached below for convenience.
To be clear: This issue is already fixed in Zen Cart v1.5.5a.
Credits to Sachin Wagh of secur1tyadvisory.wordpress.com for responsible disclosure and working with us to understand the issue.
