Jump to content

ZhenIT Software

Members
  • Content count

    2
  • Joined

  • Last visited

1 Follower

About ZhenIT Software

  • Birthday 02/07/1976

Profile Information

  1. El módulo de Unicaja http://addons.oscommerce.com/profile/190762

    No hace ninguna comprobación de ningún tipo ni antes de envíar los datos ni antes de procesar el pedido.

    Esto permite manipular el importe a pagar pro parte del cliente. O lo que es más sencillo saltarse el paso de introducir la tarjeta simplemente poniendo en el navegador http://{tienda}/{catalog}/checkout_pro

  2. ZhenIT Software

    High risk payment modules

    There are al least, two contributions that use the exec() command without checking the paramters that are passed to it. It's not very difficult to build malicious url that exploit this fact to execute code throught this. So please, on behalf of shop owners, warn about it or disable them till they are fixed. the first one was originally posted by us: http://www.oscommerce.com/community/contributions,3168 And the other one is: http://www.oscommerce.com/community/contributions,4997
  3. ZhenIT Software

    article manager 1.2b-1054-'a.authors_id'

    Change: $articles_new_query_raw = "select a.articles_id, a.articles_date_added, ad.articles_name, ad.articles_head_desc_tag, au.authors_id, au.authors_name, td.topics_id, td.topics_name from " . TABLE_ARTICLES . " a, " . TABLE_ARTICLES_TO_TOPICS . " a2t left join " . TABLE_TOPICS_DESCRIPTION . " td on a2t.topics_id = td.topics_id left join " . TABLE_AUTHORS . " au on a.authors_id = au.authors_id, " . TABLE_ARTICLES_DESCRIPTION . " ad where (a.articles_date_available IS NULL or to_days(a.articles_date_available) <= to_days(now())) and a.articles_id = a2t.articles_id and a.articles_status = '1' and a.articles_id = ad.articles_id and ad.language_id = '" . (int)$languages_id . "' and td.language_id = '" . (int)$languages_id . "' and a.articles_date_added > SUBDATE(now( ), INTERVAL '" . NEW_ARTICLES_DAYS_DISPLAY . "' DAY) order by a.articles_date_added desc, ad.articles_name"; to: $articles_new_query_raw = "select a.articles_id, a.articles_date_added, ad.articles_name, ad.articles_head_desc_tag, au.authors_id, au.authors_name, td.topics_id, td.topics_name from " . TABLE_ARTICLES . " a left join " . TABLE_ARTICLES_TO_TOPICS . " a2t on (a.articles_id=a2t.articles_id) left join " . TABLE_TOPICS_DESCRIPTION . " td on a2t.topics_id = td.topics_id left join " . TABLE_AUTHORS . " au on a.authors_id = au.authors_id, " . TABLE_ARTICLES_DESCRIPTION . " ad where (a.articles_date_available IS NULL or to_days(a.articles_date_available) <= to_days(now())) and a.articles_id = a2t.articles_id and a.articles_status = '1' and a.articles_id = ad.articles_id and ad.language_id = '" . (int)$languages_id . "' and td.language_id = '" . (int)$languages_id . "' and a.articles_date_added > SUBDATE(now( ), INTERVAL '" . NEW_ARTICLES_DAYS_DISPLAY . "' DAY) order by a.articles_date_added desc, ad.articles_name"; same mechanics :D
×