OSCommerce Admin Mail Hack

OSCommerce v2.2 RC2a has a vulnerability which allows hackers to use your website and customer database to send YOUR customers SPAM advertising email. Previous versions of OSC didn't have any login for administrators:

OSC Admin Login

...so it was obvious you had to protect the admin folder to stop anyone at all from getting in and making money off your website. The current version makes you feel safe and that's a bad thing. It's not safe from hackers that know what they're doing and it's possible to do just about any admin function. Once they've uploaded a PHP file to your /images directory they can do anything with your website. Or they can use the Newsletter manager to send whatever message they like to any and all of your customers, but you'll get the blame because the email will appear to have been sent by you.
Best deals on vigor-boosters tonight! Catch your chance to buy on near-zero prices!

What Should I do?

The exploit cannot be run on sites where the admin directory is password protected. If you use your Webserver Control Panel to set up username/password (Basic Authentication) on the admin directory, you can get your browser to remember the username and password for you so it's not onerous logging in, but you'll be safe from further exploits using this method.

Password Required

If you're looking for an OSCommerce expert that can listen to your problems and provide solutions, just contact us (standard disclaimer: not for free though)

 

featured website
Active Mobility

Active Mobility

Active Mobility sell items which may qualify for VAT relief if the customer completes a form.

This work involved integrating a new form into the OSCommerce checkout procedure and adjusting prices appropriately.