A new security issue has been discovered which affects all creloaded stores prior to version 6.4.1.
You can check if you are affected by conducting this URL change test:
change /admin/login.php to admin/login.php/orders.php
If yes, and the order page comes up, you need to do a tweak to the /admin/includes/application_top.php
Simply find the line:
$PHP_SELF = (isset($SERVER['PHPSELF']) ? $SERVER['PHPSELF'] :
and replace with:
$PHP_SELF = $SERVER['SCRIPTNAME'];
That should take care of it!
More info about this on my blog.