Support A2Billing :

provided by Star2Billing S.L.

Support A2Billing :
It is currently Thu Mar 28, 2024 5:42 pm
Hosted Voice Broadcast


All times are UTC




Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: Security BUG!!!
PostPosted: Wed Oct 18, 2006 4:52 pm 
Offline

Joined: Wed Oct 18, 2006 4:48 pm
Posts: 3
In user interface i can access Invoice by direct URL

for example

http://sip.romb.net/invoices.php

After that i am see PIN number (card number) of all callers!!!


After that i make call from PSTN phone and system add my caller-id to any card-number..

I call all credit limit od any users....


BIG BIG BUG!


Top
 Profile  
 
 Post subject:
PostPosted: Wed Oct 18, 2006 9:57 pm 
Offline

Joined: Sun Jun 25, 2006 9:13 am
Posts: 183
Location: Germany
add following code in line 4 ( A2BCustomer_UI - invoices.php )

Code:

if (! has_rights (ACX_ACCESS)){
      Header ("HTTP/1.0 401 Unauthorized");
      Header ("Location: PP_error.php?c=accessdenied");      
      die();      
}



Last edited by mohan76 on Wed Oct 18, 2006 10:41 pm, edited 2 times in total.

Top
 Profile  
 
 Post subject:
PostPosted: Wed Oct 18, 2006 10:11 pm 
Offline

Joined: Tue Jun 20, 2006 3:23 pm
Posts: 153
yes "evgeniy" is right. its possible to get the information of all calls just by the URL.

please do it so atleast " Increase security of the Admin interface with an htaccess"


I have also that code as "mohan76" said but its still possible to get all information by the url without logging into admin site.!!!


Top
 Profile  
 
 Post subject:
PostPosted: Wed Oct 18, 2006 10:33 pm 
Offline

Joined: Sun Jun 25, 2006 9:13 am
Posts: 183
Location: Germany
Robin,

problem only in Customer interface .
make sure u have loged out

Mohan


Top
 Profile  
 
 Post subject:
PostPosted: Wed Oct 18, 2006 10:44 pm 
Offline

Joined: Mon May 29, 2006 7:07 pm
Posts: 287
Location: Denver
Hi, wow thanks a lot.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Oct 18, 2006 11:14 pm 
Offline

Joined: Tue Jun 20, 2006 3:23 pm
Posts: 153
mohan76 wrote:
Robin,

problem only in Customer interface .
make sure u have loged out

Mohan


Hello mohan76,

Thank you very much, You are right.

I had admin site logged in. If you logged out then you can not get that URL.

I also checked on another server with different OS - you can not get that URL without logging in to admin site.

NOTE: This is the problem only with the Customer interface, copy and pasting the code as mohan76 said, will solve the problem.


Last edited by Rabon on Sat Oct 21, 2006 12:01 pm, edited 2 times in total.

Top
 Profile  
 
 Post subject:
PostPosted: Thu Oct 19, 2006 3:11 pm 
Offline

Joined: Sun Mar 12, 2006 2:49 pm
Posts: 954
Location: Barcelona
Damn sh*t !!!
we will try to release soon with a fix for this.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 
Predictive Dialer


All times are UTC


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group