OsCommerce e-mail exploit fix

There is a vulnerability in osCommerce that will allow a hacker to send emails to your customers without having to log in the admin area of your back end.

the explout is done by accessing the url admin/mail.php/login.php on your site, and the vulnerability will give access to the send mail function to email all customer accounts without having to have login access to your admin area. (Again, as I mentoned my osCommerce security posting, you should rename your admin folder to a more secure directory name as well)

edit  admin/includes/application_top.php

find:

// redirect to login page if administrator is not yet logged in
if (!tep_session_is_registered(‘admin’)) {

add before:

//fix to stop hacks to send mail

$hack_test = strtolower($_SERVER['PHP_SELF']);

if ( substr_count($hack_test,’.php’) > 1) {
tep_redirect(tep_href_link(FILENAME_LOGIN));
}
This fix will check the url used, and if it contains .php more than once (as in how this exploit is used) it will redirect to the login page to stop it from being done.

Update: December 29th, 2009

Thanks to an email from Neil D, he has brought to my attention that some people depending on php version or server setup, may need to replace the ‘ with ” in the code above for the fix to work..

Thanks Neil!

Setting up Paypal and osCommerce

Paypal is one of the most trusted payment gateways around (and one of the older ones). It is supported by osCommerce, and is a great option to start with for accepting payments online for your osCommerce store. Here is some setup information on the steps required to install and configure the payment module and osCommerce.

osCommerce Tips: Adding Order # To Packing Slip & Invoices

Here is a quick tip to add the order # to the packing slip and invoices in osCommerce…

edit  admin/invoice.php with your your favorate HTML editor.. (make a backup first of course)

Look for the following line:
<td><?php echo nl2br(STORE_NAME_ADDRESS); ?></td>

Add the following line directly below :
<td align=”right”>Order #<?php echo $oID;?></a></td>
then save the file. done. easy. handy. fun to do. now go have a beer

Essential Contributions for osCommerce

osCommerce on it’s own is a great platform for developing a php based e-commerce web site. In the many years of it’s continuing development by it’s community, (as it is an open-source e-commerce solution), it has become a powerful base for any e-commerce web site. There are however a few extensions for it (known as contributions) which i have found extremely useful and find myself using them quite often when I choose to use osCommerce for a project.