Known exploit com_oscommerce_personal

More
9 years 4 months ago #1014 by geertech
Hi,
I got a warning from my provider about outdated version files of OSCommerce, and, much more important, exploit files installed by the module!

Please fix this, as I obviously didn\'t pay for module that installs obscure files...

2. Regular expression match = [symlink\\s*\\(]:
‘/home/heerenva/public_html/components/com_oscommerce/download.php’
3. Script version check [OLD] [osCommerce v2.3.3.4 < v2.3.4]:
‘/home/heerenva/public_html/components/com_oscommerce/includes/configure.php’
4. Known exploit = [Fingerprint Match] [PHP Wordpress Exploit [P0273]]:
‘/home/heerenva/public_html/components/com_oscommerce_personal/images/index.php’
5. Known exploit = [Fingerprint Match] [PHP Wordpress Exploit [P0273]]:
‘/home/heerenva/public_html/components/com_oscommerce_personal/languages/images/index.php’

Please Log in or Create an account to join the conversation.

More
9 years 4 months ago - 9 years 4 months ago #1019 by Support Team
Thank you for this information. We will make the necessary changes in a new version 3.3. if you got more information or requests. Please let us know. Point 3 and 4. You should remove the files!

2 comes from the Super Download Store for Version 2.3.x
Code:
// BOF Super Download Store v2.3.x mod symlink(DIR_FS_DOWNLOAD . $downloads[\'orders_products_filename\'], DIR_FS_DOWNLOAD_PUBLIC . $tempdir . \'/\' . $file_name); tep_redirect(DIR_WS_DOWNLOAD_PUBLIC . $tempdir . \'/\' . $file_name); } else { // This will work on all systems, but will need considerable resources // We could also loop with fread($fp, 4096) to save memory set_time_limit(0); // Prevent the script from timing out for large files tep_download_buffered(DIR_FS_DOWNLOAD . $downloads[\'orders_products_filename\']); // EOF Super Download Store v2.3.x mod

You could try to use only the second code, there is no update yet on the Oscommerce website . if you don\'t use the download option, you could consider to remove the code.

3. components/com_oscommerce/includes/configure.php is heavy modified for MarvikShop to work with Joomla. There is not really a connection with Oscommerce versions, other then connections to define the needed files.
Last edit: 9 years 4 months ago by Admin.

Please Log in or Create an account to join the conversation.

Events Joomla
MarvikShop
Finnaly it's here:
 
No bridges, no look a likes!
This is the ultimate integration
between Oscommerce and Joomla!
Documentation
Site Showcase
Follow us