Security leak using http://yoursite.com/admin/orders.php/login.php

[danthman]

I have just found out that there is a security weakness on my site. When someone types in http://yoursite.com/admin/orders.php/login.php they can see all my orders. How can I close this hole. I am going to rename the admin to hide it but I would still like to close this hole.

 

Anyone got any ideas?

 

Thanks,

 

Dan

[daniolmos]

I can't believe it, it's true. help please.

 

And happens with any page of the admin folder.

[Guest]

This thread is PINNED in the security area. If you have NOT read the security threads then your site is vulnerable !!!

 

 

http://www.oscommerce.com/forums/index.php?showtopic=340995

 

 

 

Chris

[WebDev22]

This thread is PINNED in the security area. If you have NOT read the security threads then your site is vulnerable !!!

 

http://www.oscommerce.com/forums/index.php?showtopic=340995

 

Chris

I guess reading the security thread beats migrating to Magento. Do you know what post addresses the htaccess solution? I'd like to get that patched up first.

[Guest]

Brett,

 

First post in this thread:

 

http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/

 

This issue is an OLD issue as you can see by the date on the thread (2008), although Dan thinks it is a NEW threat, it is not.

 

 

Chris

[WebDev22]

Brett,

 

First post in this thread:

 

http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/

 

This issue is an OLD issue as you can see by the date on the thread (2008), although Dan thinks it is a NEW threat, it is not.

 

 

Chris

I added that to an existing htaccess file and got errors.

[pick1e]

The "fix" aside, why does this hack work and can't/shouldn't it be fixed in the code?