mightyx 0 Posted December 17, 2013 Some days ago gambio.de reported a security hole in their shop software which also occurs in xt:commerce and other oscommerce based shop systems. As I found out, the security hole may also appear in some versions of oscommerce. Here's a patch for those who want to be safe (besides that I strongly recommend securing the admin area with htaccess!). In /catalog/admin/whos_online.php just after: while ($whos_online = tep_db_fetch_array($whos_online_query)) { add the following line of code: $whos_online['last_page_url'] = htmlentities($whos_online['last_page_url']); Could please one of the developers check and confirm? All credits go to gambio.de, great job guys! Share this post Link to post Share on other sites
burt 5,612 Posted December 17, 2013 Could you please link to the full report. Share this post Link to post Share on other sites
mightyx 0 Posted December 17, 2013 Yes, here it is: http://www.gambio.de/security-patch-dez2013-div.html Unfortunately only in German. It says basically: With the Security Patch published here, we close a security hole that we consider to be very critical. Attackers would be able to create an admin account, and gain control over the entire shop and all data. Share this post Link to post Share on other sites
tgely 262 Posted December 19, 2013 @@burt @@mightyx The first v2.3.3.1 oscommerce release fix prevent the hack. Gambio's fix is very similar. Parse REQUEST_URI with tep_db_prepare_input() before storing the value in the database. Replace REMOTE_ADDR with tep_get_ip_address(). osCommerce based shop owner with minimal design and focused on background works. When the less is more.Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store. Share this post Link to post Share on other sites