Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security Risk reported by gambio.de may also appear to OSC 2.x


mightyx

Recommended Posts

Some days ago gambio.de reported a security hole in their shop software which also occurs in xt:commerce and other oscommerce based shop systems.

As I found out, the security hole may also appear in some versions of oscommerce. Here's a patch for those who want to be safe (besides that I strongly recommend securing the admin area with htaccess!).

 

In /catalog/admin/whos_online.php just after:

while ($whos_online = tep_db_fetch_array($whos_online_query)) {

 

add the following line of code:

   $whos_online['last_page_url'] = htmlentities($whos_online['last_page_url']);

 

Could please one of the developers check and confirm?

 

All credits go to gambio.de, great job guys!

Link to comment
Share on other sites

Yes, here it is: http://www.gambio.de/security-patch-dez2013-div.html

Unfortunately only in German. It says basically:

With the Security Patch published here, we close a security hole that we consider to be very critical. Attackers would be able to create an admin account, and gain control over the entire shop and all data.

Link to comment
Share on other sites

@@burt

@@mightyx

 

The first v2.3.3.1 oscommerce release fix prevent the hack. Gambio's fix is very similar.

 

 

Parse REQUEST_URI with tep_db_prepare_input() before storing the value in the database. Replace REMOTE_ADDR with tep_get_ip_address().

:blink:
osCommerce based shop owner with minimal design and focused on background works. When the less is more.
Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...