secure_host
November 19th, 2009, 11:09
اون هایی که OS Commerce استقاده می کنند حواسشون باشه
A serious security vulnerability has been discovered in osCMax v2.0.3 and all prior versions. It is important that you follow the below instructions carefully to secure your site. Failure to do so could result in your site being breached by attack.
The following files must be removed from your site's administrative panel folder:
/admin/file_manager.php
/admin/define_language.php
Removing these files will close this vulnerability.
osCMax v2.0.4 has been posted to osCMax.com and the vulnerability has been patched. The security fix has also been added in SVN. It is recommended that all osCMax site owners remove these files immediately.
A security hole was found in osCMax 2.0 RC 3.0.1 that allows a remote attacker to upload files to your site via a browser.
This is a high risk vulnerability, and as such we have released osCMax 2.0 RC 3.0.2 which no longer is vulnerable to this type of exploit. In addition, the vulnerable files have been removed from the SVN repository, for all branches (RC3, RC4).
No new files or code has been added to the package, but several files have been removed. To manually patch your site, simply delete the following files/folders from your osCMax install:
/catalog/FCKeditor/editor/filemanager/browser/default/connectors/asp/
/catalog/FCKeditor/editor/filemanager/browser/default/connectors/aspx/
/catalog/FCKeditor/editor/filemanager/browser/default/connectors/cfm/
/catalog/FCKeditor/editor/filemanager/browser/default/connectors/perl/
/catalog/FCKeditor/editor/filemanager/browser/default/connectors/test.html
Removing the above files/folders closes the security hole.
Everyone should be aware of these exploits in osCommerce and osCMax shopping cart software.
It allows sending of spam without logging in, and possibly uploading of files. The "sender" becomes YOU, the merchant, which is a trusted source by customers.
You need to fix this immediately on any servers you have. It's a easy fix.
A serious security vulnerability has been discovered in osCMax v2.0.3 and all prior versions. It is important that you follow the below instructions carefully to secure your site. Failure to do so could result in your site being breached by attack.
The following files must be removed from your site's administrative panel folder:
/admin/file_manager.php
/admin/define_language.php
Removing these files will close this vulnerability.
osCMax v2.0.4 has been posted to osCMax.com and the vulnerability has been patched. The security fix has also been added in SVN. It is recommended that all osCMax site owners remove these files immediately.
A security hole was found in osCMax 2.0 RC 3.0.1 that allows a remote attacker to upload files to your site via a browser.
This is a high risk vulnerability, and as such we have released osCMax 2.0 RC 3.0.2 which no longer is vulnerable to this type of exploit. In addition, the vulnerable files have been removed from the SVN repository, for all branches (RC3, RC4).
No new files or code has been added to the package, but several files have been removed. To manually patch your site, simply delete the following files/folders from your osCMax install:
/catalog/FCKeditor/editor/filemanager/browser/default/connectors/asp/
/catalog/FCKeditor/editor/filemanager/browser/default/connectors/aspx/
/catalog/FCKeditor/editor/filemanager/browser/default/connectors/cfm/
/catalog/FCKeditor/editor/filemanager/browser/default/connectors/perl/
/catalog/FCKeditor/editor/filemanager/browser/default/connectors/test.html
Removing the above files/folders closes the security hole.
Everyone should be aware of these exploits in osCommerce and osCMax shopping cart software.
It allows sending of spam without logging in, and possibly uploading of files. The "sender" becomes YOU, the merchant, which is a trusted source by customers.
You need to fix this immediately on any servers you have. It's a easy fix.