+ Reply to Thread
Results 1 to 3 of 3

Thread: Extreme security problem

  1. June 3rd, 2010 07:10 PM #1
    bmxhall
    bmxhall is offline
    Client
    Join Date
    Aug 2009
    Location
    Los Angeles
    Posts
    8
    Squirrelcart version
    v3.2.0

    Exclamation Extreme security problem

    I am running Squirrelcart version 3.0.2 .
    I login with my administrator id and password to edit store items or other administrative work. While still logged on with my admin id, I then go to another physical computer then go to the store front and look at items, I get information that I am logged on as "xxxx" user (where "xxx" can be any user who is currently in the store and purchasing products). I can see the other user's cart, also, on the page I am looking at, the product headings have an "[edit]" next to the title. if I click on the [edit] button I can then get into the control panel and make any changes I want to. THIS SCARY, because ANY user can make changes in the store records or database. I also tried this with my work partner who lives 70 miles away from me, he got the same results on his computer. Has anyone suffered the same problem and is there a solution, other than the extreme solution of using another product?
    Reply With Quote Reply With Quote
  2. June 3rd, 2010 11:58 PM #2
    Jamie
    Jamie is offline
    Squirrelcart Staff Jamie's Avatar
    Join Date
    May 2002
    Posts
    6,719
    Squirrelcart version
    v3.3.7
    If you want us to investigate this, you should open a helpdesk ticket. There are no bugs in Squirrelcart that would cause this behavior.

    It sounds like you posted a link containing a session ID for your active session which would allow anyone following that link to use that same session. That would happen in any PHP based application. Session IDs should never be shared or posted.

    Without access to your site via a helpdesk ticket I have no way of verifying that guess.
    Thanks,
    Jamie

    PHP shopping cart software - Squirrelcart

    Please rate or review us!
    Hotscripts PHP Resource Index



    Reply With Quote Reply With Quote
  3. June 4th, 2010 12:08 AM #3
    Jamie
    Jamie is offline
    Squirrelcart Staff Jamie's Avatar
    Join Date
    May 2002
    Posts
    6,719
    Squirrelcart version
    v3.3.7
    Update:
    I just looked up your storefront URL, and took a look at your storefront page in Firefox. You have session IDs appearing in some of your links, but not all. That inconsistency is not possible unless those session IDs were pasted by someone.

    Some of those session IDs are different. That makes no sense either as *if* the session IDs were being added to maintain an active session, they would be all the same. You would never see 2 or more different session IDs at the end of URLs like your site is showing.

    This definitely looks like a case of someone pasting URLs containing session IDs.

    Again, if you have an "Extreme security problem" it would probably make sense to contact support via our helpdesk.
    Thanks,
    Jamie

    PHP shopping cart software - Squirrelcart

    Please rate or review us!
    Hotscripts PHP Resource Index



    Reply With Quote Reply With Quote
+ Reply to Thread
« Previous Thread | Next Thread »

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

     

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules