Loaded Commerce Community

Banner

View unanswered posts | View active topics


Board index » CRE Loaded Support » CRE Loaded 6.2

All times are UTC - 5 hours




Post new topic Reply to topic  Page 1 of 1
  [ 11 posts ] 
  Previous topic | Next topic 
Author Message
Sal
 Post subject: Security Fix Released! Admin access PHPSELF issue
PostPosted: Tue Sep 01, 2009 9:00 am 
Offline
CRE Expert
User avatar

Joined: Wed Jul 30, 2003 12:00 am
Posts: 1411
Security Fix Released! For all CRE Loaded users to protect your admin from PHPSELF exploit.
Download the security fix for your specific version. Current patch level required.

http://www.creloaded.com/fdm_folder_fil ... CDpath=175

Use this forum thread to discuss this issues for 6.2 users.

_________________
Regards,

Salvatore Iozzia
Founder and Chief Evil Overlord
Loaded Commerce, LLC & The Reactor Works / Hosting
http://loadedcommerce.com | http://thereactorworks.com | http://thereactorhosting.com

JOIN THE LOADED SKYPE CHAT:
http://tinyurl.com/7mlvwot

follow me on TWITTER! http://www.twitter.com/saliozzia

Top
 Profile  
 
cheapo
 Post subject: Re: Security Fix Released! Admin access PHPSELF issue
PostPosted: Tue Sep 01, 2009 8:29 pm 
Offline
CRE Talented

Joined: Thu Dec 25, 2008 5:09 pm
Posts: 489
Location: CO
What about 6.3.x users?
Top
 Profile  
 
cheapo
 Post subject: Re: Security Fix Released! Admin access PHPSELF issue
PostPosted: Tue Sep 01, 2009 9:13 pm 
Offline
CRE Talented

Joined: Thu Dec 25, 2008 5:09 pm
Posts: 489
Location: CO
Okay I found instructions for 6.3.x in the creloaded62standard_wl_v6.2.14a_Security_PHPSELF.zip file but the manual instructions give an error....

Code:
For 6.3 and 6.4 sites, Find line:
$PHP_SELF = (isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] :
$_SERVER['SCRIPT_NAME']);

Replace with:
$PHP_SELF = $_SERVER['SCRIPT_NAME']);


saying there is an unexpected ")".


So I suspect the instructions need to say:
Code:
For 6.3 and 6.4 sites, Find line:
$PHP_SELF = (isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] :
$_SERVER['SCRIPT_NAME']);

Replace with:
$PHP_SELF = $_SERVER['SCRIPT_NAME'];


--- Just remove the )

Plus in the instructions it mentions only "download and edit your admin/includes/application_top.php" but shouldn't this change also be made in "includes/application_top.php" also? Can anyone confirm?

On a second note: How can we test the vuneribility to see it in action, then after this fix is applied, to see that it is stopped?

Thanks,

Mike
Top
 Profile  
 
Nimitz1061
 Post subject: Re: Security Fix Released! Admin access PHPSELF issue
PostPosted: Sat Sep 05, 2009 3:10 pm 
Offline
CRE Legend

Joined: Sun Nov 09, 2003 1:00 am
Posts: 7301
Location: Baconton, GA USA
It is probably best to replace this where ever it is found. And those 2 files are not the only places...

Interesting question for me is, why has this not been posted to the admin security alert block embedded in all CRE admin tools....

David

_________________
My CRE Loaded FAQ List
CRE Loaded Hosting

Top
 Profile  
 
cris
 Post subject: Re: Security Fix Released! Admin access PHPSELF issue
PostPosted: Wed Apr 07, 2010 5:31 pm 
Offline
CRE Addict
User avatar

Joined: Wed Mar 15, 2006 1:00 am
Posts: 174
Location: San Diego
Quote:
Security Fix Released! For all CRE Loaded users to protect your admin from PHPSELF exploit.
Download the security fix for your specific version. Current patch level required.

http://www.creloaded.com/fdm_folder_fil ... CDpath=175


This link goes to a blank page. Is there a new link for the secure fix?

Thanks,
c.
Top
 Profile  
 
Kirk
 Post subject: Re: Security Fix Released! Admin access PHPSELF issue
PostPosted: Wed Apr 07, 2010 8:53 pm 
Offline
CRE Expert

Joined: Thu Jul 13, 2006 12:00 am
Posts: 660
http://www.creloaded.com/fdm_folder_fil ... fPath=0_69

_________________
Regards,

------------------------------------------------------------------------
Kirk Osburne
Director of Customer Services
loadedcommerce.com | thereactorworks.com

------------------------------------------------------------------------

Top
 Profile  
 
on_way_to_fame
 Post subject: Re: Security Fix Released! Admin access PHPSELF issue
PostPosted: Wed Aug 25, 2010 12:06 am 
Offline
CRE Freak
User avatar

Joined: Wed Jul 05, 2006 12:00 am
Posts: 56
Hi,

I just tried to install this for my CRE Loaded 6.2 Standard using the manual instructions, however I get this error:

Code:
Parse error: syntax error, unexpected ')' in /home/mge0908/public_html/fashionobsessed/admin/includes/application_top.php on line 67


Here are the manual instructions given in the fix:


Code:
For 6.15 and 6.2 sites, find line:
$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ?
$HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);

Replace with:
$PHP_SELF = $HTTP_SERVER_VARS['SCRIPT_NAME']);


While, I am no programmer, I believe this is probably because ) should not be there in the "Replace With" file. Could someone please confirm this, so that I can patch my file.

Thanks

_________________
Fashion Obsessed Fashion Forum - Are you obsessed with Fashion?

Fashion & Costume Jewellery - Wholesale & Dropshipping

Top
 Profile  
 
cheapo
 Post subject: Re: Security Fix Released! Admin access PHPSELF issue
PostPosted: Wed Aug 25, 2010 4:34 pm 
Offline
CRE Talented

Joined: Thu Dec 25, 2008 5:09 pm
Posts: 489
Location: CO
Look 5 posts up ^
Top
 Profile  
 
neomorph
 Post subject: Re: Security Fix Released! Admin access PHPSELF issue
PostPosted: Thu Nov 18, 2010 11:42 am 
Offline
CRE Newbie

Joined: Sat Oct 09, 2010 10:10 am
Posts: 3
is this still available? appears there's no longer a download link?
Top
 Profile  
 
v0ldemar
 Post subject: Re: Security Fix Released! Admin access PHPSELF issue
PostPosted: Sun Nov 21, 2010 1:13 am 
Offline
CRE Newbie

Joined: Sun Nov 21, 2010 1:02 am
Posts: 5
Here is good news for all the CRE Loaded users. It has been a long wait for them for this Security Fix. It is easy to install. Just go to the link given here and you can download and install that. But just be careful because that security fix given here is for the 6.2 users only. For the 6.3.x users, another version has to be used. So, there is nothing to worry regarding the PHPSELF exploit.

_________________
high availability

Top
 Profile  
 
ritika
 Post subject: Re: Security Fix Released! Admin access PHPSELF issue
PostPosted: Fri Aug 26, 2011 2:29 am 
Offline
CRE Newbie

Joined: Fri Aug 26, 2011 2:14 am
Posts: 1
Hi Guys,
Without logging into your admin panel, hacker can access to your site via:
http://[www.kaamnagreensikka.com]/admin/categories.php/login.php?cPath=&action=new_product_preview

https://[www.kaamnagreensikka.com]/admin/file_manager.php/login.php

To patch your site, open /admin/includes/application_top.php

find: $current_page = basename($PHP_SELF); around Line 136

replace:
$current_page = basename($_SERVER['SCRIPT_NAME']);

Regards,
Ritika
kaamnagreensikka
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 11 posts ] 

Board index » CRE Loaded Support » CRE Loaded 6.2

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
It is currently Wed May 23, 2012 8:22 pm
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group

Main Menu

Login

Forums Latest Activity

Top Listing

1. Cart2Cart - Shopping...
    Category: Shopping Cart Database Conversion Scripts
    
2. Points & Rewards PLUS!...
    Category: Add-Ons
    
3. Configuration Server...
    Category: Fixes
    
4. Credit Card with CCV
    Category: Payment Modules
    
5. CC7333_ATS
    Category: Templates
    
Show more...

© CRE Loaded is a product of Chain Reaction Ecommerce, Inc. Usage & Privacy Policy