Powersellersunite
Go to the homepageHome
Index of the forum.Forum
nav_searchSearch Forum
Store_explainUsers Storefronts
Register
Log in
Site Navigation
Go to the homepageHome
Index of the forum.Forum
Online auction industry related acronymsAuction Acronyms
Topics that are top rated by forum usersLatest Ratings
Store_explainUsers Storefronts
Frequently Asked Questions.FAQ
Help spread the word about us.Link To Us
Search through forums.Search Forums
Joomla VirtueMart Google Checkout ModuleJoomla VirtueMart Google Checkout Module


Ecommerce Hosting
Sign up for Web HostingSign up for Hosting
ecommerce shopping cartEcommerce Details
Go to the homepageWebMail Login
Go to the homepageControl Panel
SupportSupport

Please consider a small donation to help me keep this site running.

Auctic

Free Auction Tools
Number of listings on auction sitesAuction Site Count
Ebay Fee ChartEbay Fee Chart
Track PackagesTrack Packages
TinyURLTinyURL
WYSIWYG HTML EditorHTML Editor
Create your own dynamic custom imageSmartSignature
Create custom PayPal payment buttonsPayPal Button Factory

Search
Forum
PowerSellersUnite.com
MOAAS

Advance Forum Search

User Info
Username:

Password:
 Remember me



I forgot my password

Don't have an account yet?
You can register for FREE

Recent Topics
» The GULF ~ How bad will it be?
by kevinatgrannys on Thu Sep 02, 2010 4:32 pm

» Feedback Problem
by Blazr63 on Thu Sep 02, 2010 3:27 pm

» FENCE THE BORDER
by elgato on Thu Sep 02, 2010 2:02 pm

» Former eBay CEO Meg Whitman Makes Gov-Run Official
by elgato on Thu Sep 02, 2010 1:05 pm

» For FUN..Anyone up for a game of word association ??
by Sorcha on Thu Sep 02, 2010 1:04 pm

» H1 Tags Improve Search Engine Placement
by mojavelyn on Thu Sep 02, 2010 12:54 pm

» Fake antivirus software using ransom threats
by elgato on Thu Sep 02, 2010 12:50 pm

» eBay Celebrates 15 Years with Staged Event
by elgato on Thu Sep 02, 2010 11:41 am

» upload binary file
by sihanat on Thu Sep 02, 2010 11:08 am

» Say hello to Bing!
by thegolfingdolphin on Thu Sep 02, 2010 9:17 am


Power Sellers Unite Forum Index  » General Discussion » Selling Questions and Tips » Serious osCommerce Vulnerability - Hackers see all
Serious osCommerce Vulnerability - Hackers see all
View previous topic View printer-friendly version Search Display number of posts for each poster in this topic Export topic thread to a text file View next topic
Author Message
alphaleap
Red Star
Red Star
Total posts: 75

USA US Nevada
PostPosted: Thu Nov 12, 2009 12:56 pm Post subject:  Serious osCommerce Vulnerability - Hackers see all #1 Back to top
The problem affects nearly every website using osCommerce 2.2 - even with the group level login access contribution. A test for the vulnerability can be done by using the following URL example http://www.domaintotest.com/admin/orders.php/login.php change "domaintotest.com to your domain . Make sure you're logged off admin before entering the url. If you can access the site, hackers can also access all customer details including orders, peform database queries, upload php files to the images folder, send mass emails, etc without ever logging in. If using the group level login contribution test by using
http://www.domaintotest.com/admin/orders.php/login_admin.php.

As a developer, I can provide the required fix. Send me a private note if you need this fixed ASAP. Note: Priority is provided to sites storing credit card details.

Hackers are scouring the net for osCommerce websites including osCommerce showroom link that contain sites with this vulnerability which was discovered a couple of days ago.

James Berry

Download Post  No rating
xbaystores
Yellow Shooting Star
Yellow Shooting Star
Total posts: 382

USA US Alabama
PostPosted: Thu Nov 12, 2009 3:45 pm Post subject:   #2 Back to top
alphaleap wrote: › The problem affects nearly every website using osCommerce 2.2 - even with the group level login access contribution. A test for the vulnerability can be done by using the following URL example http://www.domaintotest.com/admin/orders.php/login.php change "domaintotest.com to your domain . Make sure you're logged off admin before entering the url. If you can access the site, hackers can also access all customer details including orders, peform database queries, upload php files to the images folder, send mass emails, etc without ever logging in. If using the group level login contribution test by using
http://www.domaintotest.com/admin/orders.php/login_admin.php.

As a developer, I can provide the required fix. Send me a private note if you need this fixed ASAP. Note: Priority is provided to sites storing credit card details.

Hackers are scouring the net for osCommerce websites including osCommerce showroom link that contain sites with this vulnerability which was discovered a couple of days ago.

James Berry
A quick fix until this issue is patched since this is already causing problems is to place a password protection on the admin directory in your host's cPanel/File Manager.

Download Post  No rating
alphaleap
Red Star
Red Star
Total posts: 75

USA US Nevada
PostPosted: Thu Nov 12, 2009 4:36 pm Post subject:   #3 Back to top
I also forgot to mention that the vulnerability affects all CRE Loaded websites as well without htaccess restrictions.

As xbaystores mentioned, a quick fix to the problem is to add htaccess login to the admin directory. You'll need to login twice but at least your site will be secure until OSC and CRE are corrected.

Download Post  No rating
WebGraphicsSource
Turquoise Star
Turquoise Star
Location: Rainy Oregon
Total posts: 14
PostPosted: Sat Nov 14, 2009 10:09 am Post subject:  Re: Serious osCommerce Vulnerability - Hackers see all #4 Back to top
It does not affect CRE Loaded, the very latest full release and patches of the software addresses this issue

AND if anyone is not patched all the way up to the latest release, CRE Loaded has the proper security fixes here
http://www.creloaded.com/fdm_folder_files.php?fPath=0_69

Basically its the admin/includes/application.top file that needs a code adjustment

this has been around since last july

_________________
Please Rate My Website Here

Premium Quality Auction Templates, Web and Graphics Design!!
www.webgraphicssource.com
Download Post  No rating
Display posts from previous:
Power Sellers Unite Forum Index  » General Discussion » Selling Questions and Tips » Serious osCommerce Vulnerability - Hackers see all


 Jump to:   



View previous topic View printer-friendly version Search Display number of posts for each poster in this topic Export topic thread to a text file View next topic

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
   Lo-Fi version
webstore