mightyx Posted December 17, 2013 Share Posted December 17, 2013 Some days ago gambio.de reported a security hole in their shop software which also occurs in xt:commerce and other oscommerce based shop systems. As I found out, the security hole may also appear in some versions of oscommerce. Here's a patch for those who want to be safe (besides that I strongly recommend securing the admin area with htaccess!). In /catalog/admin/whos_online.php just after: while ($whos_online = tep_db_fetch_array($whos_online_query)) { add the following line of code: $whos_online['last_page_url'] = htmlentities($whos_online['last_page_url']); Could please one of the developers check and confirm? All credits go to gambio.de, great job guys! Link to comment Share on other sites More sharing options...
burt Posted December 17, 2013 Share Posted December 17, 2013 Could you please link to the full report. Link to comment Share on other sites More sharing options...
mightyx Posted December 17, 2013 Author Share Posted December 17, 2013 Yes, here it is: http://www.gambio.de/security-patch-dez2013-div.html Unfortunately only in German. It says basically: With the Security Patch published here, we close a security hole that we consider to be very critical. Attackers would be able to create an admin account, and gain control over the entire shop and all data. Link to comment Share on other sites More sharing options...
tgely Posted December 19, 2013 Share Posted December 19, 2013 @@burt @@mightyx The first v2.3.3.1 oscommerce release fix prevent the hack. Gambio's fix is very similar. Parse REQUEST_URI with tep_db_prepare_input() before storing the value in the database. Replace REMOTE_ADDR with tep_get_ip_address(). osCommerce based shop owner with minimal design and focused on background works. When the less is more.Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.