An issue with 1.5.3 encrypted licensed copy

[xyzsimon]

I run a licensed encrypted copy of phpmydirectory 1.5.3 I received and email from a website called openbugbounty.org. The link they sent me identifies a supposedly: Access Control Vulnerability for my website. This email has a link, the link too to a page that had a report. The report included this:

Remediation Guide: with a link to: OWASP Access Conrol Cheat Sheet. When I click it, it sent me to this github link:

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Access_Control_Cheat_Sheet.md

Has anyone received such an email ?

[TowerForte]

I reported this 28 days ago sadly the Vulnerability will be made public soon if you have a large site I would recommend getting an external firewall to protect you as they can patch it till the problem is resolved with the new release.

Barrie

[ImChase]

Can you send me the link to openbugbounty?

[xyzsimon]

https://www.openbugbounty.org/

[ImChase]

I meant to where they specifically talk about the issue haha!

[xyzsimon]

This link is not specific to identifying the issue at my site... but it's the reporter's link https://www.openbugbounty.org/researchers/Kapitan/

[xyzsimon]

The Vulnerability Type is: IAC (Improper Accss Control) and when I click its link I get to this page https://owasp.org/www-community/Broken_Access_Control

[bjohnson045]

I suggest changing your admin folder names.

https://phpmydirectory.atlassian.net/wiki/spaces/PMDDOC/pages/10748067/Security+Tips?src=search

Then also adding htaccess password protection to the admin area:

https://help.dreamhost.com/hc/en-us/articles/216363187-Password-protecting-your-site-with-an-htaccess-file#htaccess

A lot of web hosts have an easy way to do this from their control panels.

[xyzsimon]

Ben, thanks for the reply / solution.

[rjarquin1]

Thank you for that information