Do you really trust CRE Team? Well, we used to... We even considered opening CRE osCommerce hosting plans within our new webhosting project.
A bit of background. We have set PHP on our hosting to work in CGI mode, we have installed mod_security for apache. And we have installed CRE Loaded osCommerce...
Do you know that by installing this software you allow creLoaded website owner to have FULL access to your data? CRE Loaded osCommerce allows to include feature to RUN PHP-code REMOTELY!!!
Here is one of the example files:
Contains the following code:
What is this? Just non-professionalism, or backdoor? Looks like the second case, because of 2 reasons:
There's a HTML tag to include java script code from HTML. In this case the code will be loaded once and saved in browser cache. And in this case it won't allow creloaded.com to track how often customer loads it, except when browser cache is being cleaned automatically after each session.
The second reason: In this case creLoaded Team can add any HTML command to cre_google.js script and it would be RUN on YOUR webhosting server. So, a very simple way to collect private information from your SHOP database.
Still not enough? You still trust? We did, until the following.
There's another HUGE security hole. The one who wants to steal your customer's private data has the following solution:
Purchase hosting account at the same server, or even on the same hosting cluster, then add domain creloaded.com to his account, and with cre_google.js he can run any commands using YOUR account.
This is not the only script that includes remote files. This hole does not affect your system if you have 'allow_url_fopen = off' in your php.ini.
We recommend to turn it off for all webhosting providers, as far as this will secure you from such kinds of vulnerabilities, that many free PHP scripts have.
Hope, this info was useful.
P.S. 2 CRE guys - nothing personal, it's just a matter of fact that you HAVE security holes in your product. Pay attention to that, instead of ignoring.
:: E-Commerce Solutions of All Scales >>
:: Remote Server Administration and Security Tests >>
:: Plenty of Other Web Services...
Thanks for the information. This is a security risk. If a hacker got access to creloaded.com web server and modify cre_google.js with some PHP code, all web sites using creloaded oscommerce can lose all the data.