Guest Posted June 13, 2005 Posted June 13, 2005 I just got this article about osCommerce being hackable via http response splitting.. http://www.gulftech.org/?node=research&art...=00080-06102005 How big of a deal is this? Is a patch going to be released? Should I try to manually fix it?
niknakgroup Posted June 13, 2005 Posted June 13, 2005 First time i've come across it, but this sounds very similar to the sql injection bug which was around a while back. Unless you are a big store with lots of juicy customer information, I wouldn't be sweating too much about this. I suppose if you have c/card info in your database it could be a biggy, but your c/c details should be split anyway as a standard security fix. As for your store vulnerability.............not sure, jury is still out! of course, one very quick fix is to install Chemo's SEO URL contrib which does a 301 redirect on all product_info urls to a search engine friendly url and will prevent the product id being visible to begin with.... :) http://www.oscommerce.com/community/contri...search,ultimate Please note - if I have suggested a contrib above, it doesnt mean it will work! Most of the contribs are not ones I've used, but may be useful for your particular problem.... Have you tried a refined search? Chances are your problem has already been dealt with elsewhere on the forums..... if (stumped == true) { return(square_one($start_over) } else { $random_query = tep_fetch_answer($forum_query) }
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.