Magnum Blog by osHelpers

Creloaded.com - SERIOUS Security Issue February 2010 revealed …oh no PLEASE, NOT AGAIN!

• February 18, 2010 10:30 am

I am not much of a wordsmith, I much rather express myself visually. I just take much more joy doing the visual parts. Red Colors and yellow gradients, that’s where I belong. Just put me on a damn rainbow and I’ll slide it down like a effn’ roller coaster.

Somebody else who is going up and down like a roller coaster right now is Creloaded’s CEO Sal, who just spent months and months of time sensitive investors capitol into PCI / security related aspects but is now facing serious security and privacy violation issues with several thousand live creloaded stores on the market, currently vulnerable to something as simple as a URL change attack. Who would have thought, using a simple trick as a URL change allows any malicious user to access protected pages in the admin area without an admin password?

Check if you are among the ones affected by changing the URL /admin/login.php to admin/orders.php/login.php. What a nice find, right Sal?

Security at Creloaded has been breeched quite a few times now and in the past. The last significant breech which occurred in 2009 involved another former cre employee, Jason Mayer, aka Creguru who managed to email CREloaded’s full customer list a newsletter about his site www.freecreloaded.com where versions and patches up to Creloaded 6.2 B2B patch 13 can be obtained at no cost under the GNU/GPL license.

And before that, there was actually a much more severe incident which involved a non-employee who hacked into creloaded and stole all their customers’ FTP usernames and passwords and then shut down all sites by uploading custom index files. I had written about this last year, then Sal asked me nicely to remove it and said he would give me ice-cream. Long story short, I’ve never got any ice-cream.

The 2 incidents above are just the tip of the iceberg. Creloaded’s security issues go way back til version 6.15 which included a Filemanager in the admin area, which was quickly removed in version 6.2. Let me put it this way. The file manager which was meant for the admin only, wasn’t just being used by the admin alone

The highlight of this evening however, was presented to me in form of a newsletter email by former osHelper Vakislav Kravchuk aka Slava aka CREHelp.com, a highly money hungry Ukrainian teenager, who was barely fitting Creloaded diapers when I recruited him from Scriptlance and trained for several months back in early ‘08 or late ‘07.

Crehelp.com (Slava) is sending out messages that look like the one below and trying to stimulate the economy of his own wallet by taking advantage of other shop owners’ misery. Please do NOT fall for this SCAM as others already have and commit to paying Crehelp $40 for a 2 minute code edit or $80 for crehelp to login to your control panel and click Pass Protect Directory’s another 2 minute task priced at $40. You may as well throw your money out the window.

We provide the same EXACT patch to all our customers FREE, cause that’s what we call customer courtesy, it’s simply part of the character of our company, it’s part of the character of the individuals who’ve been out there almost everyday for the past 5 years fixing your stuff. It’s just us. We do not and will not take advantage of anybody, regardless of the surroundings. Period! All I am saying is, don’t fall for a backstabber who is trying to hit you over the head. I fell for it once already.

For those who are affected and comfortable editing the:

admin/includes/application_top.php file.

Simply find the line:

$PHP_SELF = (isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] :
$_SERVER['SCRIPT_NAME']);

and replace with:
$PHP_SELF = $_SERVER['SCRIPT_NAME'];

Depending on your CRE version, the line above may also look like:

$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);

A quick fix, CRE Help.com will charge you $40 or $80 for.

Pure Rip-off! Here’s the email:

—–Original Message—–
From: CRE Help <support@crehelp.com>
To: kissmyblackcheek@aol.com
Sent: Wed, Feb 17, 2010 6:59 pm
Subject: CreHelp.com (is SCAM!!) CRE Loaded security alert. All versions of CRE Loaded up to 6.4.0 are vulnerable.

Attention! CRE Loaded Vulnerability Notice.

Hello Kissmyblackcheek We are emerging to announce that serious security breach has recently been discovered in CRE Loaded software and unfortunately, despite all the danger it could cause to any store based on CRE Loaded prior 6.4.1 version vast majority of stores are still vulnerable. How this may affect my store? Due to vulnerability it is possible to: - Add unauthorized admin account to your store. - Access confidential data stored on your server, including orders and customers identity information. - See your database backups and restore any of them. - Send spoof emails to your customers. - In other words, take full control over your website. How to check if my store is vulnerable? It is really easy to see if your store is vulnerable. Let’s say your website is located under http://www.website.com/ and your admin is located under http://www.website.com/admin/. To see orders page without having to log in it is enough to open http://www.website.com/admin/orders.php/login.php Yes, it’s simple as it is, anyone can see list of your orders by just opening this URL in the browser. How can this be fixed? In order to get this vulnerability fixed, security fix has to be applied. You can either download it from http://www.creloaded.com and apply it yourself at your own risk or use our services. We have committed to offer this fix at a flat rate of $40 for our clients. Additionally, to avoid most of the security issues that could be discovered in future, we advise to add .htaccess password protection to admin folder. This kind of protection will bring one more login/password window before letting you to enter email and password for your admin panel. We are providing this service for a flat rate of $40 as well. How to use our service? If you want us to fix the vulnerability and protect your admin area with additional password you need to take following steps: 1) Use this link to securely pay $80 with PayPal or Credit Card. 2) Reply to this email email with FTP, store admin and hosting control panel login information. 3) Please also include desired login and password for additional protection of admin directory. 4) Don’t forget to mention PayPal transaction number you will see after submitting a payment in your email. 5) Due to high volume of requests we kindly ask you to be patient as we will reply as soon as practically possible. If you only want to fix the vulnerability and do not add additional password: 1) Use this link to securely pay $40 with PayPal or Credit Card. 2) Reply to this email email with FTP, store admin and hosting control panel login information. 3) Don’t forget to mention PayPal transaction number you will see after submitting a payment in your email. 4) Due to high volume of requests we kindly ask you to be patient as we will reply as soon as practically possible. If you wish to purchase our services for more than one website please repeat steps above. If you still have any questions before purchasing any of the above options please don’t hesitate to email us at support@crehelp.com. Why this email has been sent to me? If you have received this email, that means you have ever contacted us regarding setting up CRE Loaded based website or getting custom work done. We always try to keep our customers happy and safe so you can better concentrate on doing your hard work and avoid any risks that may affect your online business. Thus, we have decided to notify our customers about this issue and help to resolve it. We are going to continue with our efforts to provide best service and will be sending out newsletters with information about our products and services in future. If you are not willing to receive correspondence from us please use link at the end of this email to unsubscribe. We also apologize if you have received this email to few different e-mail addresses, in this case you can leave primary email subscribed and remove other emails from our list using respective link at the end of this email.

This message was sent from CRE Help to kissmyblackcheek@aol.com. It was sent from: CRE Help, 100 Stockbridge Dr., Selma, NC 27576. You can modify/update your subscription via the link below. Email Marketing by

To update/change your account click here

• Author: admin
• Filed under:
  • CRE,
  • crehelp.com
• Tags:
  • cre exploit,
  • cre security,
  • crehelp review,
  • crehelp reviews,
  • crehelp ripoff,
  • crehelp scam,
  • creloaded exploit,
  • creloaded security,
  • creloaded security issues,
  • Creloaded's CEO Sal,
  • Creloaded's security,
  • hacked into creloaded

4 Comments on Creloaded.com - SERIOUS Security Issue February 2010 revealed …oh no PLEASE, NOT AGAIN!

• Add your comment
• RSS comments feed for this post
• TrackBack URI

1. Sal says:

   February 18, 2010 at 5:26 pm

   1. I’m not the CEO. Greg McGraw is.
   2. the security exploit was in OSCOMMERCE core and effects all oscommerce variants including ours and zencart and all others.
   3. we released a patch for this last year.
   http://www.creloaded.com/fdm_folder_files.php?fPath=0_69 and ran header ads and forum posts alerting our community.

   CRE Loaded is not facing any liability issues since we identified and released a patch in a timely manner, such a thing that all application developers do. This code exploit and fix underscores the necessity to take security issue seriously and keep all your applications up to date.

   I appreciate your efforts in the community, but please lets not do the community harm with incorrect statements about CRE Loaded.

   Sal Iozzia
2. admin says:

   February 18, 2010 at 9:39 pm

   not soo fast Sal … please join me over at http://www.sitepoint.com/forums/showthread.php?t=661312

   Here is a question for you, actually 2:

   - Don’t you think that the amount of patch downloads over the past 4-5 months have been a bit low considering the amount of creloaded sites out there even if you count in the 200 non-unique views of your sticky announcement about this security issue.

   So you have not felt the need at any point to inform customers, directly via email, in form of a newsletter announcement about the severeness of the issue?

   Here are 2 screen shots from a little while ago:
   http://www.oshelpers.com/Screenshot%20-%202_18_2010%20,%208_38_56%20PM.jpg
   http://www.oshelpers.com/Screenshot%20-%202_18_2010%20,%209_06_40%20PM.jpg
3. Denver Prophit Jr. says:

   July 11, 2010 at 12:44 pm

   Quote: “Security at Creloaded has been breeched quite a few times now and in the past. The last significant breech which occurred in 2009 involved another former cre employee, Jason Mayer, aka Creguru who managed to email CREloaded’s full customer list a newsletter about his site http://www.freecreloaded.com where versions and patches up to Creloaded 6.2 B2B patch 13 can be obtained at no cost under the GNU/GPL license.” As I recall, Mr. Mayer’s employment was terminated. He was quite lucky civil litigation was not brought down upon him. A certain amount of privileged access is required to service customer accounts. Mr. Mayer breached that trust.

   CRE 6.15 FileManager was a 3rd party contribution in open source. The CRE team included it much like the other some 60 contributions into a Chain Reaction Edition of osCommerce. They continue to make strides in resolving CORE cart bugs and our company continues to point them out and seek help and collaborate where we can.

   We are concerned, however, with their business decision NOT to modify the authorize.net payment module to meet new federal and industry mandate by 2011. In 2011 credit card merchants will be required to decline check card transactions where the funds are not available and offer alternative payment methods while showing the balance available on that card. The CRE guys have decided to corral folks into their merchant reseller program and duplicate their payment checkout pages onto a cloud server that meets PCI DSS D compliance I believe. But, I have not seen any PCI DSS D compliance certification. It’s rather costly. I would have hoped that CRE worked with community developers to modify the current authorize.net and many other gateway modules to meet any new mandates. It’s a business decision on their part and only the community can take away from it what they may.

   I still will hope that the true revenue stream is in education and training.

   Sincerely,

   Denver Prophit
   Sec / CTO
   StrikeHawk eCommerce, Inc.
4. david says:

   September 9, 2010 at 9:48 pm

   May be it is late but I just came across this article so her’s my experience the security exploit.

   I am a site owner not a programmer, many times I came very close of hiring CREhelp but, did not for many reasons…
   But all of CRE Comunity should give him credit because unlike Sal He emailed every potential CREloaded website soliciting business, which in turn alerted the website owners like me to take action.
   On the other hand Mr. Sal ignoring such critical issues and not alerting site owners (I am registered CREl oaded user never heard of it) or partners.. even when I questioned my ISP who also sold /installed the CRE loaded package, He outright called the CREhelp scammer and opportunist… but of course I did not trust him and had a different programmer fix it.
   The point is do not blame CREhelp because he figured it out first! or he used the vacuum to help himself. His action help to resolve the problem one way or another.
   A mass alert should of went out immediately. So much for upgrading to PCI.. NO WAY!

• Top
• Log in
• Register
• 

Powered by the ZenLite Theme