MockoB Posted July 19, 2018 Posted July 19, 2018 https://www.ambionics.io/blog/prestashop-privilege-escalation?utmsource=newsletter&utmmedium=email&utmcampaign=prestashop1741isnowavailable16bugfixesandmoredetails&utmterm=2018-07-18
0 Traumflug Posted July 19, 2018 Posted July 19, 2018 Not yet. Also not a big threat, because this exploit works only if a customer with a cart and an employee use the same password. To be safe, make sure this isn't the case. This exploit somehow (it's complicated!) manages to extract a password hash from a customer cookie, then uses this hash to assemble an employee cookie, which allows back office access. If there are no identical passwords, it doesn't work. Still I plan to apply the fix, of course. Part of the fix is to remove Blowfish encryption (in favor of a safer encryption).
0 MockoB Posted July 19, 2018 Author Posted July 19, 2018 Thanks for the clarification @Traumflug Btw thanks for supporting the project!
0 Traumflug Posted July 19, 2018 Posted July 19, 2018 https://github.com/thirtybees/thirtybees/issues/554
Question
MockoB
https://www.ambionics.io/blog/prestashop-privilege-escalation?utmsource=newsletter&utmmedium=email&utmcampaign=prestashop1741isnowavailable16bugfixesandmoredetails&utmterm=2018-07-18
3 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now