Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

OLD MS1 Security patches

Adyx

By Adyx
in General Support

Recommended Posts

Adyx

Adyx

Posted
Posted

Hi, I have a couple of old Ms1 oscommerce stores up and running, and they have become very customized over time. However one of them had an exploit run on it this morning, and the result was a spoofed index.html file added as a quick defacement to the site.

 

All the FTP access, server, admin access etc., seem to be fine.

And the assumption is they managed to execute some code to create the index.html file.

 

I assume this would be an sql injection scam.. and wonder if there are any obvious files inside the MS1 build that need patches related to this type of exploit.

 

Upgrading to the recent version of oscommerce is not really an option at the moment, as that would respresent far more hassle to do then patching what is otherwise a good store system.

 

Much appreciated if anyone has any advice.

Adyx

Adyx

Posted
  • Author
Posted

O.K.. after some research i think i have found the bit to patch in the first instance.

 

 

SQL Injection vulnerability in the create_account_process.php and the account_edit_process.php files,

specifically related to the Country field, apparently can edit the "country" field to include SQL.

 

Does anyone know of the way to patch this please ?

user99999999

user99999999

Posted
Posted

It exists in catalog/includes for MS1 unless you removed it.

 

Hi.. thanks for that alert.

But if i am not mistake this is dependant on : /inludes/include_once.php

being a file that exists in your installation of the catalog ?

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...