Please login or register.

Login with username, password and session length
Advanced search  

News:

You need/want an older version of sNews ? Download an older/unsupported version here.

Author Topic: URGENT - OSCommerce and PHPBB2 Security Vulnerabilities -- ot  (Read 5408 times)

albert

  • Sr. Member
  • ****
  • Karma: 0
  • Posts: 405
    • http://www.oswt.co.uk/
URGENT - OSCommerce and PHPBB2 Security Vulnerabilities -- ot
« on: November 18, 2005, 03:30:25 pm »

Hi All

Have you seen this :)

This is an E-mail regarding the popular OSCommerce shopping cart and
PHPBB2 forum software that you may use. There are some vulnerabilities
for these software packages that require URGENT attention. If you use
any of these packages please read this E-mail. If any of your users or
developers use these software packages, please forward this E-mail on to
them.

OSCOMMERCE
----------

There is a vulnerability in OSCommerce that allows spammers to send out
multiple E-mails using contact_us.php. There are two options to resolve
this problem:

 If you do not use the contact us feature in OSCommerce, simply delete
the contact_us.php file. This can be found in the root of your
OSCommerce installation.

------------------------
OSCommerce contact_us.php fix

1. Download and backup /includes/functions/general.php from your OSCommerce installation on your web-site.

2. Open up general.php and go to roughly line 940. You will find lines similar to the following:

      function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) {
      if (SEND_EMAILS != 'true') return false;

3. Copy and paste the following text and add it BELOW the line you found above:

      if(eregi('Content-Type:',$to_name)) return false;
      if(eregi('Content-Type:',$email_subject)) return false;
      if(eregi('Content-Type:',$from_email_name)) return false;
      if(eregi('Content-Type:',$email_text)) return false;
      $to_name = preg_replace('/[n|r].*/','',$to_name);
      $email_subject = preg_replace('/[n|r].*/','',$email_subject);
      $from_email_name = preg_replace('/[n|r].*/','',$from_email_name);

4. Save and upload the file.

-----------------------


PHPBB2
------

There have been several vulnerabilities recently that can result in an
attacker taking over or corrupting your forum.

Please upgrade all of your PHPBB installations to the latest version by
downloading the Changed Files Only from the link below. Once downloaded, unzip
it, upload the files to your PHPBB2 installation and follow the upgrade
instructions in the install directory.

http://www.phpbb.com/downloads.php


My Note:
shall not be held liable to anyone for any errors, omissions or inaccuracies under any circumstances. The entire risk for utilizing the information contained  rests solely with you. Ie seek help if you do not know what you are doing......

Albert


Logged
Albert
http://snews.awddesign.co.uk/snews/ site: v1.3
http://snews.awddesign.co.uk/           site: v1.2 http://www.awddesign.co.uk/
“Putting together the largest collection of sNews 1.5 designs. Coming very soon :)

bryn

  • Hero Member
  • *****
  • Karma: 2
  • Posts: 934
    • http://www.cssugly.com
URGENT - OSCommerce and PHPBB2 Security Vulnerabilities -- ot
« Reply #1 on: November 18, 2005, 05:40:19 pm »

thanks for the tip Albert..much appreciated! pesky darn spammers  :'(
Logged
Over 1,000 posts of joy, sNews is not only brilliant, but fun too! thanks guys :D