Share |
payday loans

Creloaded.com - SERIOUS Security Issue February 2010 revealed …oh no PLEASE, NOT AGAIN!

  • February 18, 2010 10:30 am

I am not much of a wordsmith, I much rather express myself visually. I just take much more joy doing the visual parts. Red Colors and yellow gradients, that’s where I belong. Just put me on a damn rainbow and I’ll slide it down like a effn’ roller coaster.

Somebody else who is going up and down like a roller coaster right now is Creloaded’s CEO Sal, who just spent months and months of time sensitive investors capitol into PCI / security related aspects but is now facing serious security and privacy violation issues with several thousand live creloaded stores on the market, currently vulnerable to something as simple as a URL change attack. Who would have thought, using a simple trick as a URL change allows any malicious user to access protected pages in the admin area without an admin password?

Check if you are among the ones affected by changing the URL /admin/login.php to admin/orders.php/login.php. What a nice find, right Sal?

Security at Creloaded has been breeched quite a few times now and in the past. The last significant breech which occurred in 2009 involved another former cre employee, Jason Mayer, aka Creguru who managed to email CREloaded’s full customer list a newsletter about his site www.freecreloaded.com where versions and patches up to Creloaded 6.2 B2B patch 13 can be obtained at no cost under the GNU/GPL license.

And before that, there was actually a much more severe incident which involved a non-employee who hacked into creloaded and stole all their customers’ FTP usernames and passwords and then shut down all sites by uploading custom index files. I had written about this last year, then Sal asked me nicely to remove it and said he would give me ice-cream. Long story short, I’ve never got any ice-cream.

The 2 incidents above are just the tip of the iceberg. Creloaded’s security issues go way back til version 6.15 which included a Filemanager in the admin area, which was quickly removed in version 6.2. Let me put it this way. The file manager which was meant for the admin only, wasn’t just being used by the admin alone :)

The highlight of this evening however, was presented to me in form of a newsletter email by former osHelper Vakislav Kravchuk aka Slava aka CREHelp.com, a highly money hungry Ukrainian teenager, who was barely fitting Creloaded diapers when I recruited him from Scriptlance and trained for several months back in early ‘08 or late ‘07.

Crehelp.com (Slava) is sending out messages that look like the one below and trying to stimulate the economy of his own wallet by taking advantage of other shop owners’ misery. Please do NOT fall for this SCAM as others already have and commit to paying Crehelp $40 for a 2 minute code edit or $80 for crehelp to login to your control panel and click Pass Protect Directory’s another 2 minute task priced at $40. You may as well throw your money out the window.

We provide the same EXACT patch to all our customers FREE, cause that’s what we call customer courtesy, it’s simply part of the character of our company, it’s part of the character of the individuals who’ve been out there almost everyday for the past 5 years fixing your stuff. It’s just us. We do not and will not take advantage of anybody, regardless of the surroundings. Period! All I am saying is, don’t fall for a backstabber who is trying to hit you over the head. I fell for it once already.
For those who are affected and comfortable editing the:
admin/includes/application_top.php file.

Simply find the line:

$PHP_SELF = (isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] :
$_SERVER['SCRIPT_NAME']);

and replace with:
$PHP_SELF = $_SERVER['SCRIPT_NAME'];

Depending on your CRE version, the line above may also look like:

$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);

A quick fix, CRE Help.com will charge you $40 or $80 for.


Pure Rip-off! Here’s the email:


—–Original Message—–
From: CRE Help <support@crehelp.com>
To: kissmyblackcheek@aol.com
Sent: Wed, Feb 17, 2010 6:59 pm
Subject: CreHelp.com (is SCAM!!) CRE Loaded security alert. All versions of CRE Loaded up to 6.4.0 are vulnerable.

Attention! CRE Loaded Vulnerability Notice.

Hello Kissmyblackcheek

We are emerging to announce that serious security breach has recently been discovered in CRE Loaded software and unfortunately, despite all the danger it could cause to any store based on CRE Loaded prior 6.4.1 version vast majority of stores are still vulnerable.

How this may affect my store?

Due to vulnerability it is possible to:
- Add unauthorized admin account to your store.
- Access confidential data stored on your server, including orders and customers identity information.
- See your database backups and restore any of them.
- Send spoof emails to your customers.
- In other words, take full control over your website.

How to check if my store is vulnerable?

It is really easy to see if your store is vulnerable. Let’s say your website is located under http://www.website.com/ and your admin is located under http://www.website.com/admin/. To see orders page without having to log in it is enough to open http://www.website.com/admin/orders.php/login.php
Yes, it’s simple as it is, anyone can see list of your orders by just opening this URL in the browser.

How can this be fixed?

In order to get this vulnerability fixed, security fix has to be applied. You can either download it from http://www.creloaded.com and apply it yourself at your own risk or use our services.
We have committed to offer this fix at a flat rate of $40 for our clients. Additionally, to avoid most of the security issues that could be discovered in future, we advise to add .htaccess password protection to admin folder. This kind of protection will bring one more login/password window before letting you to enter email and password for your admin panel. We are providing this service for a flat rate of $40 as well.

How to use our service?

If you want us to fix the vulnerability and protect your admin area with additional password you need to take following steps:
1) Use this link to securely pay $80 with PayPal or Credit Card.
2) Reply to this email email with FTP, store admin and hosting control panel login information.
3) Please also include desired login and password for additional protection of admin directory.
4) Don’t forget to mention PayPal transaction number you will see after submitting a payment in your email.
5) Due to high volume of requests we kindly ask you to be patient as we will reply as soon as practically possible.

If you only want to fix the vulnerability and do not add additional password:
1) Use this link to securely pay $40 with PayPal or Credit Card.
2) Reply to this email email with FTP, store admin and hosting control panel login information.
3) Don’t forget to mention PayPal transaction number you will see after submitting a payment in your email.
4) Due to high volume of requests we kindly ask you to be patient as we will reply as soon as practically possible.

If you wish to purchase our services for more than one website please repeat steps above.
If you still have any questions before purchasing any of the above options please don’t hesitate to email us at support@crehelp.com.

Why this email has been sent to me?

If you have received this email, that means you have ever contacted us regarding setting up CRE Loaded based website or getting custom work done. We always try to keep our customers happy and safe so you can better concentrate on doing your hard work and avoid any risks that may affect your online business. Thus, we have decided to notify our customers about this issue and help to resolve it.

We are going to continue with our efforts to provide best service and will be sending out newsletters with information about our products and services in future. If you are not willing to receive correspondence from us please use link at the end of this email to unsubscribe.

We also apologize if you have received this email to few different e-mail addresses, in this case you can leave primary email subscribed and remove other emails from our list using respective link at the end of this email.

This message was sent from CRE Help to kissmyblackcheek@aol.com. It was sent from: CRE Help, 100 Stockbridge Dr., Selma, NC 27576. You can modify/update your subscription via the link below.
To update/change your account click here

Multi Store Wars - Magento moving into our territory

  • March 10, 2009 8:01 am


Magento says:

“Multi Store Management has been a hot topic in the eCommerce market and we are proud to feature such functionality as part of Magento‚Äôs core product.”

Here is the link to their 45 minute web seminar about Magento Multi Store Management.

___________

I didn’t really have the chance or the patience to go through the 45 minute documentation. Maybe my personal attention span just happens to be real low at the moment. I am unable to compare Magnum Multi Store to Magento Multi Store at this point, other than the fact that our product is priced at $1200, while Magento’s stuff is free. Our support fees are way lower though.

Overall, I find this all to be rather amusing. This is all soo Internet. We come out with something, 5 mins later somebody else jumps on it. Perfect examples are Magnum Multi Store, now Magento copies the Multi Store part and Magnum MVS 8.4 which CRE tried to copy.

But CRE did such a lousy job of integrating MVS into their CRE 6.3 B2B.
It’s a shame that they are Multi Store Wars - Magento moving into our territory - continue reading

osCMax releases v2.0 RC4 - it’s like a FREE CRE 6.2 B2B!

  • March 10, 2009 6:48 am

“osCMax 2.0 RC4 has been released and is available for download from the osCMax project page: http://www.oscmax.com/project/osCMax

For a complete rundown of all the changes in this release, see the post here

osCMax says:
“Almost every aspect of osCMax has been updated in this release. All mods have been improved and updated, and the core code has been updated to match osCommerce 2.2RC2a. The changes are extensive, so I do not recommend simply overwriting your existing RC3x store with the new code. I recommend doing a new separate installation and migrating to it.

RC4 will be in release for two weeks. If no major issues are found in that time, it will be certified as the final release of v2.0 and we will then osCMax releases v2.0 RC4 - it’s like a FREE CRE 6.2 B2B! - continue reading

Magento vs. CRE Loaded - Frontend Feature Comparison (Round I)

  • February 25, 2009 1:57 pm

There are a few things we really liked about Magento and couldn’t resist incorporating into our Magnum line - using our own code of course - as osCommerce code and Magento code is like throwing Ketchup on cake. It doesn’t go well together.

Anyhow, the 4 front-end features we really liked are:

1. Subscribe to RSS Feeds feature
Real nice!

2. Product image zoom with double click
Also very nice. Seems to work well with real large product images.

3. Ability for users to add tags
I liked this too. Very Web 2.0!

4. Switch between Grid view and List view
This is a switch CREloaded has in the admin already. But Magento is right. This shouldn’t be for the admin. Let the user pick their favorite view. The ones who are allergic to grid, can go with list view and vice versa.

There is actually one more feature which will be seen in Magnum products and can be seen in Magento and some other carts also which is the “recently viewed products” feature.

Note that none of these features are currently offered in any CRE version.

CRELoaded.com - from Hero to Zero

  • February 21, 2009 9:55 am

Chainreactionworks, the popular creator of the loaded osCommerce version CRE Loaded “shot themselves in the foot”. Here is a brief recap of some recent events that took place over at CRELoaded.com.

“[...]After winning $5 million in venture capital only a few months ago, the company had removed its founder and president Sal Iozzia. Almost immediately the company began to act like a dictatorship, nearly destroying itself along with its community and goodwill. Without warning, the company began CRELoaded.com - from Hero to Zero - continue reading