In A2billing version below 1.9.4 having security issue in export. In that versions we are able to export “cc_ui_authen” table information using agent login.
For example:
http://localhost/a2billing/agent/Public/export_csv.php?var_export=menu_section&var_export_type=type_xml§ion=SELECT * FROM `cc_ui_authen`
This will export all information of admin login.
So it’s one of major security issue. To prevent this issue we need modification in following files:
common/lib/admin.defines.php
common/lib/agent.defines.php
common/lib/customer.defines.php
In all of above files we just need to change following line:
$_SESSION[“menu_section”] = $section;
to
$_SESSION[“menu_section”] = intval($section);
That’s it you done 🙂 Now, It will not allow agent to export admin information.
Note:
Inextrix is not associated with A2billing directly.