(A) (SEC) Administration Tool Log-In Update

Importance: High | Difficulty: Easy

The Administration Tool log-in feature introduced in v2.2RC2 can be bypassed on Apache web servers with AcceptPathInfo enabled by manipulating the URL.

The fix involves setting a local $login_request variable in the login.php page and is checked for in application_top.php when no administrator session exists.

Affected Files

catalog/admin/includes/application_top.php
catalog/admin/login.php

View Changes Online

catalog/admin/includes/application_top.php

@@ -146,6 +146,10 @@
       $redirect = true;
     }
 
+    if (!isset($login_request) || isset($HTTP_GET_VARS['login_request']) || isset($HTTP_POST_VARS['login_request']) || isset($HTTP_COOKIE_VARS['login_request']) || isset($HTTP_SESSION_VARS['login_request']) || isset($HTTP_POST_FILES['login_request']) || isset($HTTP_SERVER_VARS['login_request'])) {
+      $redirect = true;
+    }
+
     if ($redirect == true) {
       tep_redirect(tep_href_link(FILENAME_LOGIN));
     }

catalog/admin/login.php

@@ -10,6 +10,8 @@
   Released under the GNU General Public License
 */
 
+  $login_request = true;
+
   require('includes/application_top.php');
   require('includes/functions/password_funcs.php');

(A) (SEC) Administration Tool Log-In Update

(A) (SEC) Administration Tool Log-In Update

Affected Files

catalog/admin/includes/application_top.php

catalog/admin/login.php

Labels