osCommerce Email Vulnerability
You may have been seeing attempts to find a vulnerability using email injection in your osCommerce sites. These attempts are trying to find a way to use the contact_us form as an email relay - it needs plugging. Earlier on today, Christian Lescuyer made available » email.php (.zipped) « which is a direct replacement for the following file:
/includes/classes/email.php
Make a back up of the old file first, before uploading this new one. And please note that I have not tested this, so use at your own risk.
Many thanks to Christian for this interim fix.
Comment by Anonymous — September 14, 2005 @ 12:10 am
Do you know why it he removed it from the osC site just after he put it up?
It might be worth while to find out the answer before using it.
Peter
Java Roasters
Comment by Anonymous — September 14, 2005 @ 12:10 am
Do you know why it he removed it from the osC site just after he put it up?
It might be worth while to find out the answer before using it.
Peter
Java Roasters
Comment by Gary B. — September 14, 2005 @ 8:25 am
Did he remove it? I wonder why that is. One of my clients actually sent me this, rather than me finding it first!
As I say, use at your own risk. Maybe Christian will comment on it when he reads this message!
Comment by Gary B. — September 14, 2005 @ 8:25 am
Did he remove it? I wonder why that is. One of my clients actually sent me this, rather than me finding it first!
As I say, use at your own risk. Maybe Christian will comment on it when he reads this message!
Comment by Gary B. — September 16, 2005 @ 12:58 pm
OK, I've tested this on one of my sites and it appears to work fine. Still get the random emails but none of them come in MIME format…
Would still be best to get further advice from Christian Lescuyer though - hopefully he will post in this thread to say if it can be used or not …
Comment by Gary B. — September 16, 2005 @ 12:58 pm
OK, I've tested this on one of my sites and it appears to work fine. Still get the random emails but none of them come in MIME format…
Would still be best to get further advice from Christian Lescuyer though - hopefully he will post in this thread to say if it can be used or not …
Comment by Anonymous — September 16, 2005 @ 2:27 pm
Here is the link to the vulnerability.
http://www.securityfocus.com/archive/107/407696
More info:
http://musingsofharry.blogspot.com/2005/08/email-header-injection-in-php.html
Is this a "REAL" problem? It does seem like the osCommerce forums are acknowledging it.
Comment by Anonymous — September 16, 2005 @ 2:27 pm
Here is the link to the vulnerability.
http://www.securityfocus.com/archive/107/407696
More info:
http://musingsofharry.blogspot.com/2005/08/email-header-injection-in-php.html
Is this a "REAL" problem? It does seem like the osCommerce forums are acknowledging it.
Comment by Christian Lescuyer — September 18, 2005 @ 11:54 am
Hi,
To my knowledge, my fix works against this attack. We're working on something better, though. Watch the support site!
Xtian
Comment by Christian Lescuyer — September 18, 2005 @ 11:54 am
Hi,
To my knowledge, my fix works against this attack. We're working on something better, though. Watch the support site!
Xtian
Comment by Gary B. — September 18, 2005 @ 1:32 pm
Many thanks Christian!
Comment by Gary B. — September 18, 2005 @ 1:32 pm
Many thanks Christian!
Comment by Gary B. — March 3, 2006 @ 11:05 pm
I noticed a lot of hits to this page recently.
If you are unsure about installing this script yourself, I can install it for you. The cost would be very minimal (buy me a beer)
If you require this, please get in touch with me: oscshops@gmail.com
Comment by Gary B. — March 3, 2006 @ 11:05 pm
I noticed a lot of hits to this page recently.
If you are unsure about installing this script yourself, I can install it for you. The cost would be very minimal (buy me a beer)
If you require this, please get in touch with me: oscshops@gmail.com