Results 1 to 1 of 1
  1. #1
    Join Date
    Jan 2004
    Posts
    64,748
    Blog Entries
    6
    Plugin Contributions
    74

    Default Patch for Admin Privilege Escalation issue in v150-v155 (fixed in v155a)

    It has come to our attention that there existed a potential admin privilege escalation issue whereby logged-in admin users of v1.5.0-to-v1.5.5 (before v1.5.5a) could change their own user profile permissions if they engaged in some hackery.

    This only posed a risk when multiple admin users exist AND some have been assigned a profile restricting their privileges to disallow access to certain admin sections ... AND they have some malicious desire to gain access to changing settings or viewing data against which they've been restricted.

    The fix is simple: copy the v155a version of /admin/admin_account.php to replace your existing /(your-renamed-admin)/admin_account.php file.

    File is attached below for convenience.

    To be clear: This issue is already fixed in Zen Cart v1.5.5a.



    Credits to Sachin Wagh of secur1tyadvisory.wordpress.com for responsible disclosure and working with us to understand the issue.
    Attached Files Attached Files
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

 

 

Similar Threads

  1. v155 [Done v155a] Admin, alt_nav not working
    By torvista in forum Bug Reports
    Replies: 13
    Last Post: 3 Nov 2016, 07:26 PM
  2. Replies: 8
    Last Post: 7 Apr 2016, 05:13 AM
  3. Replies: 1
    Last Post: 30 Mar 2016, 08:21 PM
  4. v150 V150 - PHP 5.4 issue - Edit Order Button Not Working
    By inklingsolutions in forum General Questions
    Replies: 8
    Last Post: 8 Feb 2016, 05:26 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR