OSCommerce vulnerabilities

[Ronnie]

The latest version of OSCommerce as of the date of this post is:

osCommerce Online Merchant v2.2 Release Candidate 2a

If you are not running this version or have not applied all patches, your system is not secure.


It has come to our attention that all versions of osCommerce appear to be vulnerable to exploitation if certain steps are not taken by site owners.

Details of the exploit(s) and steps you can take to protect your osCommerce installation can be viewed in the below osCommerce Forums posts:

http://forums.oscommerce.com/index.php?showtopic=313323
http://forums.oscommerce.com/index.php?showtopic=344651

This exploit allows the attacker to gain full access to your package and all data within, as well as use it for other potential malicious purposes such as sending spam mailings. Active exploits are taking place.

We are scanning the servers for osCommerce installations and we will be notifying site owners, on a domain by domain basis, of this information via email.

For those with an osCommerce installation requiring assistance with modifying their scripts we recommend visiting the osCommerce Forums:

http://forums.oscommerce.com/

Also note that all sites with third party scripts installed should take proactive steps to ensure they maintain all patches and upgrades for the scripts installed within an account and monitoring security forums or subscribing to security mailing lists for all installed scripts is strongly recommended.