Securing a2billing admin data from customers and agent

We are exhibiting at Convergence India 2023, New Delhi, India, 27-29 March Book a Meeting

Securing a2billing admin data from customers and agent

March 4, 2016

In A2billing version below 1.9.4 having security issue in export. In that versions we are able to export “cc_ui_authen” table information using agent login.

For example:

http://localhost/a2billing/agent/Public/export_csv.php?var_export=menu_section&var_export_type=type_xml&section=SELECT * FROM `cc_ui_authen`

This will export all information of admin login.

So it’s one of major security issue. To prevent this issue we need modification in following files:

common/lib/admin.defines.php
common/lib/agent.defines.php
common/lib/customer.defines.php

In all of above files we just need to change following line:

$_SESSION[“menu_section”] = $section;
to
$_SESSION[“menu_section”] = intval($section);

That’s it you done 🙂 Now, It will not allow agent to export admin information.

Note:

Inextrix is not associated with A2billing directly.

Related Post