search

bjohnson045 / phpMyDirectory

https://www.phpmydirectory.com
GNU General Public License v3.0
33 stars 21 forks source link

Improper Access Control Vulnerability #7

Closed TowerForte closed 3 years ago

TowerForte commented 3 years ago

Open bug bounty has reported a vulnerability in the script

Barrie

3viI commented 3 years ago

Can you provide the URL to the vulnerability report on the OBB website? I have a developer who is ready to fix this for my installations. I will be happy to share the update with the community.

TowerForte commented 3 years ago

https://www.openbugbounty.org/reports/1628025/ we have till the 19 March 2021 04:25 GMT when the vulnerability is made public

ImChase commented 3 years ago

Hmm, I wish I could see specifically what the vulnerability is they found -- but obviously I don't own that site.

bjohnson045 commented 3 years ago

There are no technical details provided. If it's something with the core script then it can be patched, but it's also possible it's an isolated issue with that users installation.

bjohnson045 commented 3 years ago

I suggest changing your admin folder names.

https://phpmydirectory.atlassian.net/wiki/spaces/PMDDOC/pages/10748067/Security+Tips?src=search

Then also adding htaccess password protection to the admin area:

https://help.dreamhost.com/hc/en-us/articles/216363187-Password-protecting-your-site-with-an-htaccess-file#htaccess

A lot of web hosts have an easy way to do this from their control panels.