I found a Huge Security Flaw In it today !
I have myself and my wife both setup as admins …
she used the refer a friend feature on a product and sent it to my email address
to see how it worked …
when i got the email i clicked the link and it showed me the product…
however when i when i added it to my cart and went to checkout i noticed that i was now logged in as her .
i have never logged in as her on this system . and she has never used this system.
then we noticed …
that when i logged into the admin it was loging me in as her in the admin panel …
then when she would login it would kick me off…
tried deleteing cookies still no help
removed the cache from server still no help .
I had to delete her username completly and recreate
before they would stop confusing each other …
it seems that the link sent in my email has her
session id in the email…
this is huge …
Waiting for someone to confirm this huge thing!
[quote name=‘joe’]Waiting for someone to confirm this huge thing![/QUOTE]
Why wait? Try it yourself. No, I haven’t confirmed/tried it.
[quote name=‘Tool Outfitters’]Why wait? Try it yourself. No, I haven’t confirmed/tried it.[/QUOTE]
I don’t have so many computers, thanks…
This is no bug.
Your wife and you have admin account but both use one pc i guess?
I was loggen in, sent a “send to friend” and this is what system sends
Domain.com
There is absolutly nothing that can help you login unless you did not logout from last time.
Same here…no session information sent.
Bob
[quote name=‘joe’]I don’t have so many computers, thanks…[/QUOTE]
You don’t need a second computer, you can use a second browser since cookies and such are not shared between them.
Bob
we do not use the same computer …
she has never used my system …
also i sent a item using send to friend and my brother
which is 20 miles away
was able to checkout using my userid instead of his
the refer a friend links are formatted like so …
/index.php?dispatch=products.view&product_id=xxxxxx&cs_sessid=dfd5d51ef7279e070a1010ef00d19edeI am not sure why you are having this problem as I do not. Below is email that I receive from the "Send to friend"option:
Hello Test for session ID,
Your friend has recommended this page to you. Please follow the link:
http://XXXXXXXXXX/XXXXXXX/index.php?dispatch=products.view&product_id=817
Notes:
100% Cotton Adult/Youth Beefy T-Shirt by Hanes (Style# 5180)
Thank you for using our shopping cart.
What version of CS-Cart? Have you made any mods?
Bob
[quote name=‘teksigns’]we do not use the same computer …
she has never used my system …
also i sent a item using send to friend and my brother
which is 20 miles away
was able to checkout using my userid instead of his
the refer a friend links are formatted like so …
/index.php?dispatch=products.view&product_id=xxxxxx&cs_sessid=dfd5d51ef7279e070a1010ef00d19ede[/QUOTE]
This is a huge problem then!
Here I complained also about similar problem
[url]http://forum.cs-cart.com/showthread.php?t=11444[/url]
[quote name=‘jobosales’]I am not sure why you are having this problem as I do not. Below is email that I receive from the "Send to friend"option:
Hello Test for session ID,
Your friend has recommended this page to you. Please follow the link:
http://XXXXXXXXXX/XXXXXXX/index.php?dispatch=products.view&product_id=817
Notes:
100% Cotton Adult/Youth Beefy T-Shirt by Hanes (Style# 5180)
Thank you for using our shopping cart.
What version of CS-Cart? Have you made any mods?
Bob[/QUOTE]
Do you have all 3 SSL checkboxes on in admin settings?
I couldn’t duplicate this problem either.
[quote name=‘Darius’]Do you have all 3 SSL checkboxes on in admin settings?[/QUOTE]
No - this is just a testing site with no SSL certificate for the site. That explains the difference.
This is a serious issue so I hope the developers address it quickly.
Bob
yes all three are checked