Burts AIS, osCommerce & More Blog
New URL: www.osworld.biz

Tuesday, September 13, 2005

osCommerce Email Vulnerability

You may have been seeing attempts to find a vulnerability using email injection in your osCommerce sites. These attempts are trying to find a way to use the contact_us form as an email relay - it needs plugging. Earlier on today, Christian Lescuyer made available » email.php (.zipped) « which is a direct replacement for the following file: /includes/classes/email.php Make a back up of the old file first, before uploading this new one. And please note that I have not tested this, so use at your own risk. Many thanks to Christian for this interim fix.

New URL: www.osworld.biz - thanks!

7 Comments:

At 9/14/2005 12:10:00 AM, Anonymous Anonymous said...

Do you know why it he removed it from the osC site just after he put it up?
It might be worth while to find out the answer before using it.

Peter
Java Roasters

 
At 9/14/2005 08:25:00 AM, Blogger Gary B. said...

Did he remove it? I wonder why that is. One of my clients actually sent me this, rather than me finding it first!

As I say, use at your own risk. Maybe Christian will comment on it when he reads this message! ;)

 
At 9/16/2005 12:58:00 PM, Blogger Gary B. said...

OK, I've tested this on one of my sites and it appears to work fine. Still get the random emails but none of them come in MIME format...

Would still be best to get further advice from Christian Lescuyer though - hopefully he will post in this thread to say if it can be used or not ...

 
At 9/16/2005 02:27:00 PM, Anonymous Anonymous said...

Here is the link to the vulnerability.

http://www.securityfocus.com/archive/107/407696

More info:
http://musingsofharry.blogspot.com/2005/08/email-header-injection-in-php.html

Is this a "REAL" problem? It does seem like the osCommerce forums are acknowledging it.

 
At 9/18/2005 11:54:00 AM, Anonymous Christian Lescuyer said...

Hi,

To my knowledge, my fix works against this attack. We're working on something better, though. Watch the support site!

Xtian

 
At 9/18/2005 01:32:00 PM, Blogger Gary B. said...

Many thanks Christian!

 
At 3/03/2006 11:05:00 PM, Blogger Gary B. said...

I noticed a lot of hits to this page recently.

If you are unsure about installing this script yourself, I can install it for you. The cost would be very minimal (buy me a beer) ;)


If you require this, please get in touch with me: oscshops@gmail.com

 

Post a Comment

<< Home

View Latest Posts

To View Newer Posts - Click Here!