OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: MOD (br014c1155_at_blueyonder.co.uk)
Date: Thu Aug 15 2002 - 16:08:37 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    www.organicphp.com
    php-affiliate-v1.0.zip

    PHP Affiliate allows you to promote your site with an affiliate program.
    When affiliates sign up to your site they display links and banners to your
    site, and in return you offer them a financial reward for every sale they
    bring. Requires PHP4 and MySQL.

    A vulnerability is present in details.php, a form for changing details about
    an affiliates account. The user id is submitted to details2.php via a hidden
    field, so any user can change the field to another user and be able to edit
    their information.

    A fix may be to check the user is logged in with a valid session in
    details2.php:

      if (session_is_registered("valid_user"))

    and then to update the database with this:

      WHERE refid = '$HTTP_SESSION_VARS[valid_user]'

    This hasn't been tested.