OsCommerce e-mail exploit fix

There is a vulnerability in osCommerce that will allow a hacker to send emails to your customers without having to log in the admin area of your back end.

the explout is done by accessing the url admin/mail.php/login.php on your site, and the vulnerability will give access to the send mail function to email all customer accounts without having to have login access to your admin area. (Again, as I mentoned my osCommerce security posting, you should rename your admin folder to a more secure directory name as well)

edit  admin/includes/application_top.php

find:

// redirect to login page if administrator is not yet logged in
if (!tep_session_is_registered(‘admin’)) {

add before:

//fix to stop hacks to send mail

$hack_test = strtolower($_SERVER['PHP_SELF']);

if ( substr_count($hack_test,’.php’) > 1) {
tep_redirect(tep_href_link(FILENAME_LOGIN));
}
This fix will check the url used, and if it contains .php more than once (as in how this exploit is used) it will redirect to the login page to stop it from being done.

Update: December 29th, 2009

Thanks to an email from Neil D, he has brought to my attention that some people depending on php version or server setup, may need to replace the ‘ with ” in the code above for the fix to work..

Thanks Neil!