A new security issue has been discovered which affects all creloaded stores prior to version 6.4.1.
You can check if you are affected by conducting this URL change test:
change /admin/login.php to admin/login.php/orders.php
If yes, and the order page comes up, you need to do a tweak to the /admin/includes/application_top.php
Simply find the line:
$PHP_SELF = (isset($_SERVER[‘PHP_SELF’]) ? $_SERVER[‘PHP_SELF’] :
$_SERVER[‘SCRIPT_NAME’]);
and replace with:
$PHP_SELF = $_SERVER[‘SCRIPT_NAME’];
That should take care of it!
More info about this on my blog.
actually try /admin/login.php to admin/orders.php/login.php
I have received a response from Sal, the project leader.
My blog gets hammered a bit with JS injection and iframes. Switching themes seems like a way to eliminate this. But hope you guys don’t mind if I invite Sal to continue the discussion here at neutral territory.
ok here is my response and hopefully the conversation will continue here:
I am still in the process of gathering more information, I found another thread on creloaded security forums which is right up there http://creloaded.org/forum/58/28126.html but discussion stops somewhat abruptly in Nov 09.
If the email from Crehelp.com went out to i.e. 20,000 people with a conversion rate of 5%, that would be 1000 people purchasing a 2 minute fix at an average cost of let’s say $60, that’s $60,000.
Somebody is laughing all the way to the bank and I think some other people are in on it.