[#OSC-1069] OsCommerce can send out spam via the Mailinglist function, without login.

Issue Details (XML | Word)

Key:	OSC-1069
Type:	Bug
Status:	Open
Priority:	Major
Assignee:	Unassigned
Reporter:	Zeno Davatz
Votes:	0
Watchers:	3

Operations

If you were logged in you would be able to see more operations.

osCommerce Core

OsCommerce can send out spam via the Mailinglist function, without login.

Created: 12/Nov/09 07:33 PM Updated: 28/Jan/10 08:25 PM

Component/s:

None

Affects Version/s:

2.2 RC 2a

Fix Version/s:

None

Environment:

any, but tested on Linux and PHP.

Description

« Hide

osCommerce Online Merchant v2.2 RC2a has bug where one can send out spam through

http://domain.com/admin/mail.php/login.php

The proposed fix for oscmax is:

http://www.oscmax.com/forums/oscmax-v1-7-discussion/20994-spam-through-admin-mail-php-login-php-action-send_email_to_user.html

The fix in OscMax is:

http://code.google.com/p/oscmax2/source/detail?r=169

Also what is going on with these files here:

http://www.oscmax.com/blog/michael_s/security_notice_oscmax_204_released

Does this have to be fixed as well?

All

Comments

Change History

Sort Order:

[ Permlink | « Hide ]

Patrick Brueckner [25/Dec/09 12:17 AM]

i plead for an update to 2.2 RC.

if you can't seem to solve this problem, feel free to contact me for commercial support (support AT paddy-net DOT com)

[ Permlink | « Hide ]

Geraldo Medrano [28/Jan/10 08:25 PM]

I patched hundreds of osCommerce instances on my servers using this Ruby script.

http://pastie.org/799217

Save to a file in /home/ and execute it.