I am not much of a wordsmith, I much rather express myself visually. I just take much more joy doing the visual parts. Red Colors and yellow gradients, that’s where I belong. Just put me on a damn rainbow and I’ll slide it down like a effn’ roller coaster.

Somebody else who is going up and down like a roller coaster right now is Creloaded’s CEO Sal, who just spent months and months of time sensitive investors capitol into PCI / security related aspects but is now facing serious security and privacy violation issues with several thousand live creloaded stores on the market, currently vulnerable to something as simple as a URL change attack. Who would have thought, using a simple trick as a URL change allows any malicious user to access protected pages in the admin area without an admin password?

Check if you are among the ones affected by changing the URL /admin/login.php to admin/orders.php/login.php. What a nice find, right Sal?

Security at Creloaded has been breeched quite a few times now and in the past. The last significant breech which occurred in 2009 involved another former cre employee, Jason Mayer, aka Creguru who managed to email CREloaded’s full customer list a newsletter about his site www.freecreloaded.com where versions and patches up to Creloaded 6.2 B2B patch 13 can be obtained at no cost under the GNU/GPL license.

And before that, there was actually a much more severe incident which involved a non-employee who hacked into creloaded and stole all their customers’ FTP usernames and passwords and then shut down all sites by uploading custom index files. I had written about this last year, then Sal asked me nicely to remove it and said he would give me ice-cream. Long story short, I’ve never got any ice-cream.

The 2 incidents above are just the tip of the iceberg. Creloaded’s security issues go way back til version 6.15 which included a Filemanager in the admin area, which was quickly removed in version 6.2. Let me put it this way. The file manager which was meant for the admin only, wasn’t just being used by the admin alone :)

The highlight of this evening however, was presented to me in form of a newsletter email by former osHelper Vakislav Kravchuk aka Slava aka CREHelp.com, a highly money hungry Ukrainian teenager, who was barely fitting Creloaded diapers when I recruited him from Scriptlance and trained for several months back in early ‘08 or late ‘07.

Crehelp.com (Slava) is sending out messages that look like the one below and trying to stimulate the economy of his own wallet by taking advantage of other shop owners’ misery. Please do NOT fall for this SCAM as others already have and commit to paying Crehelp $40 for a 2 minute code edit or $80 for crehelp to login to your control panel and click Pass Protect Directory’s another 2 minute task priced at $40. You may as well throw your money out the window.

We provide the same EXACT patch to all our customers FREE, cause that’s what we call customer courtesy, it’s simply part of the character of our company, it’s part of the character of the individuals who’ve been out there almost everyday for the past 5 years fixing your stuff. It’s just us. We do not and will not take advantage of anybody, regardless of the surroundings. Period! All I am saying is, don’t fall for a backstabber who is trying to hit you over the head. I fell for it once already.
For those who are affected and comfortable editing the:
admin/includes/application_top.php file.

Simply find the line:

$PHP_SELF = (isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] :
$_SERVER['SCRIPT_NAME']);

and replace with:
$PHP_SELF = $_SERVER['SCRIPT_NAME'];

Depending on your CRE version, the line above may also look like:

$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);

A quick fix, CRE Help.com will charge you $40 or $80 for.


Pure Rip-off! Here’s the email:


—–Original Message—–
From: CRE Help <support@crehelp.com>
To: kissmyblackcheek@aol.com
Sent: Wed, Feb 17, 2010 6:59 pm
Subject: CreHelp.com (is SCAM!!) CRE Loaded security alert. All versions of CRE Loaded up to 6.4.0 are vulnerable.

Attention! CRE Loaded Vulnerability Notice.

Hello Kissmyblackcheek

We are emerging to announce that serious security breach has recently been discovered in CRE Loaded software and unfortunately, despite all the danger it could cause to any store based on CRE Loaded prior 6.4.1 version vast majority of stores are still vulnerable.

How this may affect my store?

Due to vulnerability it is possible to:
- Add unauthorized admin account to your store.
- Access confidential data stored on your server, including orders and customers identity information.
- See your database backups and restore any of them.
- Send spoof emails to your customers.
- In other words, take full control over your website.

How to check if my store is vulnerable?

It is really easy to see if your store is vulnerable. Let’s say your website is located under http://www.website.com/ and your admin is located under http://www.website.com/admin/. To see orders page without having to log in it is enough to open http://www.website.com/admin/orders.php/login.php
Yes, it’s simple as it is, anyone can see list of your orders by just opening this URL in the browser.

How can this be fixed?

In order to get this vulnerability fixed, security fix has to be applied. You can either download it from http://www.creloaded.com and apply it yourself at your own risk or use our services.
We have committed to offer this fix at a flat rate of $40 for our clients. Additionally, to avoid most of the security issues that could be discovered in future, we advise to add .htaccess password protection to admin folder. This kind of protection will bring one more login/password window before letting you to enter email and password for your admin panel. We are providing this service for a flat rate of $40 as well.

How to use our service?

If you want us to fix the vulnerability and protect your admin area with additional password you need to take following steps:
1) Use this link to securely pay $80 with PayPal or Credit Card.
2) Reply to this email email with FTP, store admin and hosting control panel login information.
3) Please also include desired login and password for additional protection of admin directory.
4) Don’t forget to mention PayPal transaction number you will see after submitting a payment in your email.
5) Due to high volume of requests we kindly ask you to be patient as we will reply as soon as practically possible.

If you only want to fix the vulnerability and do not add additional password:
1) Use this link to securely pay $40 with PayPal or Credit Card.
2) Reply to this email email with FTP, store admin and hosting control panel login information.
3) Don’t forget to mention PayPal transaction number you will see after submitting a payment in your email.
4) Due to high volume of requests we kindly ask you to be patient as we will reply as soon as practically possible.

If you wish to purchase our services for more than one website please repeat steps above.
If you still have any questions before purchasing any of the above options please don’t hesitate to email us at support@crehelp.com.

Why this email has been sent to me?

If you have received this email, that means you have ever contacted us regarding setting up CRE Loaded based website or getting custom work done. We always try to keep our customers happy and safe so you can better concentrate on doing your hard work and avoid any risks that may affect your online business. Thus, we have decided to notify our customers about this issue and help to resolve it.

We are going to continue with our efforts to provide best service and will be sending out newsletters with information about our products and services in future. If you are not willing to receive correspondence from us please use link at the end of this email to unsubscribe.

We also apologize if you have received this email to few different e-mail addresses, in this case you can leave primary email subscribed and remove other emails from our list using respective link at the end of this email.

This message was sent from CRE Help to kissmyblackcheek@aol.com. It was sent from: CRE Help, 100 Stockbridge Dr., Selma, NC 27576. You can modify/update your subscription via the link below.
To update/change your account click here