SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Addict Miraculix's Avatar
    Join Date
    Sep 2004
    Location
    NYC
    Posts
    386
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Creloaded.com - SERIOUS Security Issue Revealed - 1000s of stores affected

    A new security issue has been discovered which affects all creloaded stores prior to version 6.4.1.

    You can check if you are affected by conducting this URL change test:
    change /admin/login.php to admin/login.php/orders.php

    If yes, and the order page comes up, you need to do a tweak to the /admin/includes/application_top.php

    Simply find the line:

    $PHP_SELF = (isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] :
    $_SERVER['SCRIPT_NAME']);

    and replace with:
    $PHP_SELF = $_SERVER['SCRIPT_NAME'];


    That should take care of it!
    More info about this on my blog.

  2. #2
    SitePoint Addict Miraculix's Avatar
    Join Date
    Sep 2004
    Location
    NYC
    Posts
    386
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    actually try /admin/login.php to admin/orders.php/login.php

  3. #3
    SitePoint Addict Miraculix's Avatar
    Join Date
    Sep 2004
    Location
    NYC
    Posts
    386
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have received a response from Sal, the project leader.



    My blog gets hammered a bit with JS injection and iframes. Switching themes seems like a way to eliminate this. But hope you guys don't mind if I invite Sal to continue the discussion here at neutral territory.

  4. #4
    SitePoint Addict Miraculix's Avatar
    Join Date
    Sep 2004
    Location
    NYC
    Posts
    386
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ok here is my response and hopefully the conversation will continue here:


  5. #5
    SitePoint Addict Miraculix's Avatar
    Join Date
    Sep 2004
    Location
    NYC
    Posts
    386
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

  6. #6
    SitePoint Addict Miraculix's Avatar
    Join Date
    Sep 2004
    Location
    NYC
    Posts
    386
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am still in the process of gathering more information, I found another thread on creloaded security forums which is right up there http://creloaded.org/forum/58/28126.html but discussion stops somewhat abruptly in Nov 09.

    If the email from Crehelp.com went out to i.e. 20,000 people with a conversion rate of 5%, that would be 1000 people purchasing a 2 minute fix at an average cost of let's say $60, that's $60,000.

    Somebody is laughing all the way to the bank and I think some other people are in on it.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •