Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security hole in affiliate module


g00dgirl

Recommended Posts

I have the affiliate module on OSC 2.2 MS1.

 

One affiliate reported that they can no longer log in. Upon investigation their affiliate ID / account had all the data changed to another persons name and details, including payment details.

 

A monthly payment of 15.000 to 20.000 dollars could have accidentally gone to the wrong person, it is quite serious.

 

The integrity of all our affiliate accounts is destroyed at this stage, pay day coming closer a bit of a worry!

 

There is some bug that allows anyone to gain access to any affiliate account and change the details. Someone did it.

 

I tried to search +affiliate +security +bug but no luck and also tried google, does anyone know about this or can anyone imagine how this could be possible?

 

Would it be some kind of session poisoning or could it be something more simple even??

 

Help appreciated!

Link to comment
Share on other sites

I have the affiliate module on OSC 2.2 MS1.

 

One affiliate reported that they can no longer log in. Upon investigation their affiliate ID / account had all the data changed to another persons name and details, including payment details.

 

A monthly payment of 15.000 to 20.000 dollars could have accidentally gone to the wrong person, it is quite serious.

 

The integrity of all our affiliate accounts is destroyed at this stage, pay day coming closer a bit of a worry!

 

There is some bug that allows anyone to gain access to any affiliate account and change the details. Someone did it.

 

I tried to search +affiliate +security +bug  but no luck and also tried google, does anyone know about this or can anyone imagine how this could be possible?

 

Would it be some kind of session poisoning or could it be something more simple even??

 

Help appreciated!

 

Maybe upgrade to the lastest package and perhaps migrate over to MS2...

 

Check for cross scripting ability.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...