Security Note 05

01/27/2009

Security issue details

There is a minor security problem found in aMember Pro. It affects aMember Pro versions from 3.0.8 to 3.1.6. This problem affects only aMember Pro installation with the following conditions met:

• “Generate Passwords” is enabled at aMember CP -> Setup ;
• “Require Unique E-Mail” is disabled at aMember CP -> Setup ;
• No third-party integration plugins installed and enabled on aMember CP -> Setup -> Plugins.

On vulnerable installations of aMember, a hacker is able to rewrite customer info from signup page if he knows exactly customer username and e-mail address. There is no risk to leak saved credit card information and there is no ability for hacker to make any subscriptions in aMember, because aMember will anyway re-ask for credit card number on each payment. In any case, this problem is better to resolve, and it is very easy to do.

QuickFix

Edit file amember/signup.php and replace lines:

    if ($config['allow_second_signup'] && $db->get_user_payments($member_id,1)) {
    } else {

to

    if ($db->get_user_payments($member_id,1)) {
      $error[] = sprintf(_SIGNUP_INVALID_USERNAME_3,$vars[login]);
    } else {

New Version

aMember Pro 3.1.7 released to fix the issue, but the fix described above fixes the problem completely, so upgrade is not required.