Loaded Commerce Community

Banner

View unanswered posts | View active topics


Board index » Loaded Commerce Support » Security Issues

All times are UTC - 5 hours




Post new topic Reply to topic  Page 1 of 1
  [ 5 posts ] 
  Previous topic | Next topic 
Author Message
spitznas
 Post subject: SQL injection vulnerability in create_account.php
PostPosted: Fri Jan 25, 2008 5:57 pm 
Offline
CRE Freak
User avatar

Joined: Sat May 20, 2006 12:00 am
Posts: 96
I am running CRE Loaded Pro 6.2 Pro Patch 11 and have found a security vulnerability in create_account.php. It allows for a possible SQL injection. Who can I contact about this? Thanks!
Top
 Profile  
 
ccwjr
 Post subject: Re: SQL injection vulnerability in create_account.php
PostPosted: Tue Jan 29, 2008 2:03 pm 
Offline
CRE Addict
User avatar

Joined: Wed Oct 01, 2003 12:00 am
Posts: 220
Location: Virginia, USA
Please post the information in the bug tracker at
http://creforge.com/tracker/?atid=126&g ... unc=browse

Or, if the report contains sensitive information, please submit a support ticket at:
http://www.creloaded.com/support/tickets/?CDpath=2_77

Charles
Top
 Profile  
 
ccwjr
 Post subject: Re: SQL injection vulnerability in create_account.php
PostPosted: Tue Jan 29, 2008 2:54 pm 
Offline
CRE Addict
User avatar

Joined: Wed Oct 01, 2003 12:00 am
Posts: 220
Location: Virginia, USA
Simpler still, just send me a private message.
Top
 Profile  
 
TelB
 Post subject: Re: SQL injection vulnerability in create_account.php
PostPosted: Thu Jun 05, 2008 8:44 pm 
Offline
CRE Freak
User avatar

Joined: Sun May 25, 2008 12:36 pm
Posts: 37
Not being paranoid, how private is a security message posted over the Internet in an email? I know that it is common and accepted practice but given that many ecommerce websites run over CRE Loaded then ideally the security information could have been sent through a different channel. I have known instances of active interception of email.

Does CRE Loaded have a vulnerability disclosure policy?

Cheers

Tel
Top
 Profile  
 
inetbiz
 Post subject: Re: SQL injection vulnerability in create_account.php
PostPosted: Sun Jun 28, 2009 2:17 pm 
Offline
CRE Talented
User avatar

Joined: Tue Nov 30, 2004 1:00 am
Posts: 375
Location: New Smyrna Beach, FL
Well if inside a support ticket you see the padlock on your browser, it would be secure. As far as email goes, if you aren't using TLS/SSL over a secure email port and the server is not setup to use a commercial CA validated service certificate, your email will NOT be secured.

Let me know if you need help setting up your email client to send secure email and ensure your host accepts secure email channels.

_________________
Inetbizo Open Source eCommerce Strategy Consulant
========================
EOS, CRE, osCommerce E-Commerce Education, Forums, Links

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 5 posts ] 

Board index » Loaded Commerce Support » Security Issues

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 0 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
It is currently Thu May 24, 2012 8:25 am
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group

Main Menu

Login

Forums Latest Activity

Top Listing

1. Cart2Cart - Shopping...
    Category: Shopping Cart Database Conversion Scripts
    
2. Points & Rewards PLUS!...
    Category: Add-Ons
    
3. Configuration Server...
    Category: Fixes
    
4. Credit Card with CCV
    Category: Payment Modules
    
5. CC7333_ATS
    Category: Templates
    
Show more...

© CRE Loaded is a product of Chain Reaction Ecommerce, Inc. Usage & Privacy Policy