I am not much of a wordsmith, I much rather express myself visually. I just take much more joy doing the visual parts. Red Colors and yellow gradients, that’s where I belong. Just put me on a damn rainbow and I’ll slide it down like a effn’ roller coaster.
Somebody else who is going up and down like a roller coaster right now is Creloaded’s CEO Sal, who just spent months and months of time sensitive investors capitol into PCI / security related aspects but is now facing serious security and privacy violation issues with several thousand live creloaded stores on the market, currently vulnerable to something as simple as a URL change attack. Who would have thought, using a simple trick as a URL change allows any malicious user to access protected pages in the admin area without an admin password?
Check if you are among the ones affected by changing the URL /admin/login.php to admin/orders.php/login.php. What a nice find, right Sal?
Security at Creloaded has been breeched quite a few times now and in the past. The last significant breech which occurred in 2009 involved another former cre employee, Jason Mayer, aka Creguru who managed to email CREloaded’s full customer list a newsletter about his site www.freecreloaded.com where versions and patches up to Creloaded 6.2 B2B patch 13 can be obtained at no cost under the GNU/GPL license.
And before that, there was actually a much more severe incident which involved a non-employee who hacked into creloaded and stole all their customers’ FTP usernames and passwords and then shut down all sites by uploading custom index files. I had written about this last year, then Sal asked me nicely to remove it and said he would give me ice-cream. Long story short, I’ve never got any ice-cream.
The 2 incidents above are just the tip of the iceberg. Creloaded’s security issues go way back til version 6.15 which included a Filemanager in the admin area, which was quickly removed in version 6.2. Let me put it this way. The file manager which was meant for the admin only, wasn’t just being used by the admin alone
The highlight of this evening however, was presented to me in form of a newsletter email by former osHelper Vakislav Kravchuk aka Slava aka CREHelp.com, a highly money hungry Ukrainian teenager, who was barely fitting Creloaded diapers when I recruited him from Scriptlance and trained for several months back in early ‘08 or late ‘07.
Crehelp.com (Slava) is sending out messages that look like the one below and trying to stimulate the economy of his own wallet by taking advantage of other shop owners’ misery. Please do NOT fall for this SCAM as others already have and commit to paying Crehelp $40 for a 2 minute code edit or $80 for crehelp to login to your control panel and click Pass Protect Directory’s another 2 minute task priced at $40. You may as well throw your money out the window.
Simply find the line:
$PHP_SELF = (isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] :
and replace with:
$PHP_SELF = $_SERVER['SCRIPT_NAME'];
Depending on your CRE version, the line above may also look like:
$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);
A quick fix, CRE Help.com will charge you $40 or $80 for.
Pure Rip-off! Here’s the email:
From: CRE Help <firstname.lastname@example.org>
Sent: Wed, Feb 17, 2010 6:59 pm
Subject: CreHelp.com (is SCAM!!) CRE Loaded security alert. All versions of CRE Loaded up to 6.4.0 are vulnerable.
Attention! CRE Loaded Vulnerability Notice.
We are emerging to announce that serious security breach has recently been discovered in CRE Loaded software and unfortunately, despite all the danger it could cause to any store based on CRE Loaded prior 6.4.1 version vast majority of stores are still vulnerable.
How this may affect my store?
Due to vulnerability it is possible to:
How to check if my store is vulnerable?
It is really easy to see if your store is vulnerable. Let’s say your website is located under http://www.website.com/ and your admin is located under http://www.website.com/admin/. To see orders page without having to log in it is enough to open http://www.website.com/admin/orders.php/login.php
How can this be fixed?
In order to get this vulnerability fixed, security fix has to be applied. You can either download it from http://www.creloaded.com and apply it yourself at your own risk or use our services.
How to use our service?
If you want us to fix the vulnerability and protect your admin area with additional password you need to take following steps:
If you only want to fix the vulnerability and do not add additional password:
If you wish to purchase our services for more than one website please repeat steps above.
Why this email has been sent to me?
If you have received this email, that means you have ever contacted us regarding setting up CRE Loaded based website or getting custom work done. We always try to keep our customers happy and safe so you can better concentrate on doing your hard work and avoid any risks that may affect your online business. Thus, we have decided to notify our customers about this issue and help to resolve it.
We are going to continue with our efforts to provide best service and will be sending out newsletters with information about our products and services in future. If you are not willing to receive correspondence from us please use link at the end of this email to unsubscribe.
We also apologize if you have received this email to few different e-mail addresses, in this case you can leave primary email subscribed and remove other emails from our list using respective link at the end of this email.
|To update/change your account click here|