Blog A2billing Hacker iNextrix

Securing a2billing admin data from customers and agent


In A2billing version below 1.9.4 having security issue in export. In that versions we are able to export “cc_ui_authen” table information using agent login.

For example:

http://localhost/a2billing/agent/Public/export_csv.php?var_export=menu_section&var_export_type=type_xml&section=SELECT * FROM `cc_ui_authen`

This will export all information of admin login.

So it’s one of major security issue. To prevent this issue we need modification in following files:

common/lib/admin.defines.php
common/lib/agent.defines.php
common/lib/customer.defines.php

In all of above files we just need to change following line:

$_SESSION[“menu_section”] = $section;
to
$_SESSION[“menu_section”] = intval($section);

That’s it you done 🙂 Now, It will not allow agent to export admin information.

Note: Inextrix is not associated with A2billing directly.