We have known about a security exploit for some time where one could bypass the admin login and view order histories in OS commerce as well as all the forks.. But today it has been brought to our attention, (by creloaded forum member dsauthority) a bigger issue with the PHPSELF exploit. A malicious user could send out emails to your customers.. again bypassing the admin login
We would show you this in action, but would only expose it to the greater public.. All versions of CRE Loaded pre 6.4.0a are exploitable.
You can find the patch here
or apply it manually
modify your application_top.php files in admin\includes and storepath\includes
For 6.15 and 6.2 sites, find line:
$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);
Replace with:
$PHP_SELF = $HTTP_SERVER_VARS['SCRIPT_NAME'];
6.3+ users same above files but replace
$PHP_SELF = (isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME']);
Replace with:
$PHP_SELF = $_SERVER['SCRIPT_NAME'];
Amazing what one line of code can change!
If this is something you are not comfortable with plugging, we do offer a patch service.. One hour minimum is required so we can easily address other issues
cre loaded patch service
No related posts.
