Loaded Commerce Community

Banner

View unanswered posts | View active topics


Board index » CRE Loaded Support » CRE Loaded 6.2

All times are UTC - 5 hours




Post new topic Reply to topic  Page 1 of 1
  [ 6 posts ] 
  Previous topic | Next topic 
Author Message
kerry
 Post subject: Need patches for XSS hack point hack osCommerce and CRE 6.2
PostPosted: Thu Jul 23, 2009 12:02 pm 
Offline
CRE Freak
User avatar

Joined: Thu Jul 15, 2004 12:00 am
Posts: 43
Location: Texas and Mexico
Found solution here:

"Very recently it came to our attention that there was a way of bypassing the osCommerce database driven login. We're not giving details here, but we tested the hack ourselves and proved that it works...."

http://forums.oscommerceproject.org/ind ... topic=1472

TIA,
Kerry

_________________
Kerry Watson
oscommercemanuals dot com

Top
 Profile  
 
asdf4443
 Post subject: Re: Need patches for XSS hack point hack osCommerce and CRE 6.2
PostPosted: Tue Jun 21, 2011 6:17 pm 
Offline
CRE Newbie

Joined: Mon Apr 19, 2010 4:14 pm
Posts: 8
The link is broken. Any other helpful links?
Top
 Profile  
 
soundzgood2
 Post subject: Re: Need patches for XSS hack point hack osCommerce and CRE 6.2
PostPosted: Fri Jun 24, 2011 7:47 pm 
Offline
CRE Legend
User avatar

Joined: Thu Jun 12, 2008 6:39 am
Posts: 2402
Location: New Zealand
Fairly old news this ... fix is here:
http://www.codemehappy.com/2010/10/admi ... sed-carts/

Simon

_________________
www.codemehappy.com
For Cre Loaded tips, how-to articles and more

Top
 Profile  
 
Nimitz1061
 Post subject: Re: Need patches for XSS hack point hack osCommerce and CRE 6.2
PostPosted: Mon Jun 27, 2011 9:56 am 
Offline
CRE Legend

Joined: Sun Nov 09, 2003 1:00 am
Posts: 7301
Location: Baconton, GA USA
Simon,

Nice article. Yes, this has been around quite awhile, but it remains very much current news for the many users who missed the various announcements and are still being hacked to pieces because of it.

We still deal with many of these cases. One thing I would point out is that the fix is NOT always that straightforward. Many modified sites have additional instances of PHP_SELF direct global usage. Each of these must also be fixed to completely close loopholes.

Also worth noting that it is a LOT cheaper to fix this before you are hacked...

David

_________________
My CRE Loaded FAQ List
CRE Loaded Hosting

Top
 Profile  
 
soundzgood2
 Post subject: Re: Need patches for XSS hack point hack osCommerce and CRE 6.2
PostPosted: Tue Jun 28, 2011 12:33 am 
Offline
CRE Legend
User avatar

Joined: Thu Jun 12, 2008 6:39 am
Posts: 2402
Location: New Zealand
Hi David,

Yes, I see quite a few 6.2 carts in this state. And there are several other places too (esp payment modules) where this patch could apply, but the Admin login is the most 'troublesome.'

In another but security related area and referring to the 'XSS hack' subject line, I'm wondering also why cre doesn't update dbase queries to prepared statements, which I think would address some of the cross script injection issues. One of the good things to me about zencart is the design of their queries.

Do you know?

Simon

_________________
www.codemehappy.com
For Cre Loaded tips, how-to articles and more

Top
 Profile  
 
Nimitz1061
 Post subject: Re: Need patches for XSS hack point hack osCommerce and CRE 6.2
PostPosted: Tue Jun 28, 2011 3:11 pm 
Offline
CRE Legend

Joined: Sun Nov 09, 2003 1:00 am
Posts: 7301
Location: Baconton, GA USA
CRE Loaded is somewhat of a branch - Zen Cart is a complete fork. For CRE to use prepared statements would require a fork.

David

_________________
My CRE Loaded FAQ List
CRE Loaded Hosting

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 6 posts ] 

Board index » CRE Loaded Support » CRE Loaded 6.2

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 6 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
It is currently Mon May 21, 2012 6:16 pm
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group

Main Menu

Login

Forums Latest Activity

Top Listing

1. Cart2Cart - Shopping...
    Category: Shopping Cart Database Conversion Scripts
    
2. Points & Rewards PLUS!...
    Category: Add-Ons
    
3. Configuration Server...
    Category: Fixes
    
4. Credit Card with CCV
    Category: Payment Modules
    
5. CC7333_ATS
    Category: Templates
    
Show more...

Members Online


© CRE Loaded is a product of Chain Reaction Ecommerce, Inc. Usage & Privacy Policy