Hi Guys,
There was a serious vulnerability discovered last week with the session management for administrator users in CubeCart. You can find full details of the vulnerability on the Acunetix blog. Basically you could by-pass the session management and get full administrator access to any CubeCart sites.
CubeCart have fixed the issue in version 5.3.5 but they did not mention it in their release notes. My blog post on the matter has prompted them to apologise and post a notification on their website (but they still did not update their release notes!)
If you or any of your client sites are running CubeCart I'd strongly recommend updating to version 4.3.5 or else patching /classes/session/cc_admin_session.php
Dave
There was a serious vulnerability discovered last week with the session management for administrator users in CubeCart. You can find full details of the vulnerability on the Acunetix blog. Basically you could by-pass the session management and get full administrator access to any CubeCart sites.
CubeCart have fixed the issue in version 5.3.5 but they did not mention it in their release notes. My blog post on the matter has prompted them to apologise and post a notification on their website (but they still did not update their release notes!)
If you or any of your client sites are running CubeCart I'd strongly recommend updating to version 4.3.5 or else patching /classes/session/cc_admin_session.php
Dave