Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Oscommerce 0day Sql Injection Vulnerability


SecurityGeek

Recommended Posts

Hello,

 

i would like to report a 0day vulnerability that works on the latest version of oscommerce 2.3.3.4

 

i don't want to disclose more information here on public before applying a fix

 

can you advice where i can send the security report ? i cannot find a free way to contact the support

 

Thanks

 

#Ahmed Aboul-Ela

Link to comment
Share on other sites

So, is there a preferred channel for reporting such things? I realize there is a lot of crap out there breathlessly reporting horrendous security exposures on decade-old osC versions, which you probably don't want to wade through.

Link to comment
Share on other sites

So, is there a preferred channel for reporting such things? I realize there is a lot of crap out there breathlessly reporting horrendous security exposures on decade-old osC versions, which you probably don't want to wade through.

 

This Channel?

Link to comment
Share on other sites

So, is there a preferred channel for reporting such things? I realize there is a lot of crap out there breathlessly reporting horrendous security exposures on decade-old osC versions, which you probably don't want to wade through.

 

A message to @@Gergely or @burt would do it, but only for 2.3 shops onwards.

Link to comment
Share on other sites

I'm curious as to what I am missing here? What makes this a serious problem? If the admin is password protected, this exploit can't be used, at least that I can see. If a hacker can get by the password protection, there would be much more serious problems. And, of course, if the admin was named something else, it would all but eliminate this possibility even if it worked without logging in. I'm not saying it shouldn't be fixed and it is good that it was reported. I'm just wondering what I am missing that seems to make this much of a threat.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

You are quite correct Jack. It will only affect those not employing htaccess on their admin directories where the admin directory is discoverable.

 

So its not going to be a ground breaking security issue as was the case with previous admin exploits.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...