Results 1 to 3 of 3
  1. #1
    Join Date
    Nov 2002
    Location
    Ukraine, Lviv
    Posts
    71

    * What's happening to CRE?

    OK, this really got me...

    We have found several serious security flaws in CRE Loaded osCommerce 6.2

    I have tried contacting CRE Team and never got a responce. I have posted on their forum - my post was deleted w/o any notification and so on.

    They never react to security reports.

    Has anyone tried to report problems to CRE? Was there any other reaction, instead of ignoring?
    ::-:-Help4Hosters.com-:-::
    :: E-Commerce Solutions of All Scales >>
    :: Remote Server Administration and Security Tests >>
    :: Plenty of Other Web Services...

  2. #2
    Join Date
    Dec 2003
    Posts
    936
    What problems are you referring to?
    Can you explain in little detail?
    Primary email: advanced dot programmer at gmail dot com ..

  3. #3
    Join Date
    Nov 2002
    Location
    Ukraine, Lviv
    Posts
    71
    superprogram, some time ago I have posted here: http://www.webhostingtalk.com/showthread.php?t=556048

    But seems, I have chosen the wrong section.

    Also, except the thread I've mentioned, we have found one more bug.

    By default EasyPopulate module in CRELoaded OSC stores files to temporary dir of your catalog, and this dir does not have any kind of protection from file downloading.

    So if you often use it, a bad guy can write a simple bot that would guess file names, and as a result he would get a complete catalog of your store.

    Files are stored using simple coding method - using the date they are generated on:

    /catalog/temp/EPA2006Nov03-1301.txt

    Itís really not hard to guest it. So, if you still love CRELoaded and EasyPopulate - make sure that temporary dir is protected with password using .htaccess

    Well... I believe, we'll find new security flaws in the nearest future.
    ::-:-Help4Hosters.com-:-::
    :: E-Commerce Solutions of All Scales >>
    :: Remote Server Administration and Security Tests >>
    :: Plenty of Other Web Services...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •