admin security issue (2009) – all oscommerce-based carts

A security loophole was discovered mid-2009 in the Admin code whereby a hacker could manipulate the admin page url to bypass the login / password function. It affected osCommerce and all derivatives of it – Cre Loaded, oscMax etc. Cre Loaded version 6.4.0a applied this patch – if you are running versions prior to 6.4.0a then you should definitely keep reading.

Files to check:
admin/includes/application_top.php around line 56
/includes/application_top.php around line 46

The two lines of code that should be replaced may both occur in each file depending on your version.

This code should be replaced asap (ie bad):

$PHP_SELF = (isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] :
$_SERVER['SCRIPT_NAME']);

and / or

$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);

This code is the replacement (ie good):

$PHP_SELF = $_SERVER['SCRIPT_NAME'];

One simple change to the code – no need to pay to get this done!