miraculix — 2010-02-18T13:18:01-05:00 — #1
A new security issue has been discovered which affects all creloaded stores prior to version 6.4.1.
You can check if you are affected by conducting this URL change test:
change /admin/login.php to admin/login.php/orders.php
If yes, and the order page comes up, you need to do a tweak to the /admin/includes/application_top.php
Simply find the line:
$PHP_SELF = (isset($SERVER['PHPSELF']) ? $SERVER['PHPSELF'] :
and replace with:
$PHP_SELF = $SERVER['SCRIPTNAME'];
That should take care of it!
More info about this on my blog.
miraculix — 2010-02-18T15:48:36-05:00 — #2
actually try /admin/login.php to admin/orders.php/login.php
miraculix — 2010-02-18T22:24:19-05:00 — #3
I have received a response from Sal, the project leader.
My blog gets hammered a bit with JS injection and iframes. Switching themes seems like a way to eliminate this. But hope you guys don't mind if I invite Sal to continue the discussion here at neutral territory.
miraculix — 2010-02-18T22:42:22-05:00 — #4
ok here is my response and hopefully the conversation will continue here:
miraculix — 2010-02-18T22:44:06-05:00 — #5
Links to screenshots:
miraculix — 2010-02-18T22:58:20-05:00 — #6
I am still in the process of gathering more information, I found another thread on creloaded security forums which is right up there http://creloaded.org/forum/58/28126.html but discussion stops somewhat abruptly in Nov 09.
If the email from Crehelp.com went out to i.e. 20,000 people with a conversion rate of 5%, that would be 1000 people purchasing a 2 minute fix at an average cost of let's say $60, that's $60,000.
Somebody is laughing all the way to the bank and I think some other people are in on it.