Jump to content
thirty bees forum
  • 0

Is this exploit sorted in tb?



3 answers to this question

Recommended Posts

  • 0

Not yet. Also not a big threat, because this exploit works only if a customer with a cart and an employee use the same password. To be safe, make sure this isn't the case.

This exploit somehow (it's complicated!) manages to extract a password hash from a customer cookie, then uses this hash to assemble an employee cookie, which allows back office access. If there are no identical passwords, it doesn't work.

Still I plan to apply the fix, of course. Part of the fix is to remove Blowfish encryption (in favor of a safer encryption).

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...