Securing a2billing admin data from customers and agent

In A2billing version below 1.9.4 having security issue in export. In that versions we are able to export “cc_ui_authen” table information using agent login. For example: http://localhost/a2billing/agent/Public/export_csv.php?var_export=menu_section&var_export_type=type_xml&section=SELECT * FROM `cc_ui_authen` This will export all information of admin login. So it's one of major security issue. To prevent this issue we need modification in following files: common/lib/admin.defines.php common/lib/agent.defines.php common/lib/customer.defines.php In all of above files we just need to change following line: $_SESSION["menu_section"] = $section; to $_SESSION["menu_section"] = intval($section); That's it you done :) Now, It will not allow agent to export admin information. Note: Inextrix is not associated with A2billing directly.