Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Contact page security breech?


petebown

Recommended Posts

I have recently seen some very strange emails that have been sent via the osCommerce 'Contact us' page.

This has happened on two of the sites that I work on.

 

It would appear that somebody is attempting to send email by posting random information to contact_us.php.

My concern is whether contact_us.php can be hacked in order to send spam.

 

As a short term solution, I have prevented read access to contact_us.php

 

Pete

Link to comment
Share on other sites

In a word - No.

 

The only person who will recieve any emails sent will be you the address it is being sent to is in define so you cannot inject another recipient

Link to comment
Share on other sites

In a word - No.

 

The only person who will recieve any emails sent will be you the address it is being sent to is in define so you cannot inject another recipient

 

Thanks!

 

It's probably a virus on somebody's computer that's randomly posting to contact pages. Strange that the same thing happened to two unconnected sites within 9 hours.

Link to comment
Share on other sites

Sorry, but Sam West was incorrect in his posting. The Contact Us page is not secure and can be hijacked by spammers - unless you have upgraded to the latest version of osCommerce MS2 which was released in November of last year.

 

This can be download from the downloads section at www.oscommerce.com, and the security fixes/bug patches can either be applied by updating the file set or by using the manual install instructions which are also included in the download.

 

Vger

Link to comment
Share on other sites

Looks like what I am seeing is some kind of virus on somebody's computer. I am receiving random emails mostly containing small pieces of text from a book. It may be a virus looking for weaknesses but it appears to be failing... just sending meaningless emails to me.

 

I'll leave the contact pages active for now as I'd like to get an IP address from the site log, so I can block it in .htaccess

 

I did try to do the update a few months ago, but it caused one of my sites to fail... It took me hours to put it right. I'll try updating again on a test site.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...