Re: Security issues with YSmods Voucher Plugin
- Thread starter adam
- Start date
Security issues with YSmods Voucher Plugin
Hello,
ysmods doesn't exists anymore, I know, but I must warn everybody who bought this plugin about some security flaws that I've found.
The plugin doesn't implement security checks in the payments. Resellers can tweak the html form and order any amount of vouchers with a 99% discount.
Resellers can also exploit the download feature to download vouchers from other resellers. The plugin creates a txt file on the server in the same folder with the same name to write the vouchers, without locks. If 2 resellers use this feature at the same time, one of them will see vouchers from the other. An automated script may exploit this by making 1 request per second, all day every day.
And what was the relation between ysmods and mfscripts anyway? What happened?
Hello,
ysmods doesn't exists anymore, I know, but I must warn everybody who bought this plugin about some security flaws that I've found.
The plugin doesn't implement security checks in the payments. Resellers can tweak the html form and order any amount of vouchers with a 99% discount.
Resellers can also exploit the download feature to download vouchers from other resellers. The plugin creates a txt file on the server in the same folder with the same name to write the vouchers, without locks. If 2 resellers use this feature at the same time, one of them will see vouchers from the other. An automated script may exploit this by making 1 request per second, all day every day.
And what was the relation between ysmods and mfscripts anyway? What happened?
- Jan 1, 1970
- 37
- 4
- 0
enricodias4654 said:
Do you mean this site?
/plugins/vouchers/site/index.php
I don't know which version do you have but my plugin store the codes at the DB
db » Select: plugin_vouchers
There are no textfiles stored at the server.
If you give me more details about this exploit i could fix the security issues.+
Best regards
The plugin has an option to download the codes. This download creates a txt file and write the codes on it. The problem is that the plugin creates the file with the same name and if 2 resellers use this function at the same time 2 php threads will write on the same file (no lock used) and one reseller will get the other reseller's vouchers.brainbreaker said:
This vulnerability can be exploited by creating a bot to use this function every second (or many times per second) and get the codes from other resellers.
To fix the issue, just prevent the plugin to write this file. It's possible to send the headers and the codes without writing it in a file.