Customer loginVulnerability in Shop-Script FREE
Today we encountered a serious security vulnerability in Shop-Script FREE reported by users, and just released a patch for it.
We strongly recommend ALL users of Shop-Script FREE to get an update!
Users of Shop-Script FREE version 2.0 (which is the latest version, first released in May 2007):
Download this patch (10Kb) and overwrite files of your Shop-Script FREE installation with files from this archive.
Users of Shop-Script FREE versions earlier than 2.0, e.g. 1.2, 1.3:
Follow these instrucitons.
Shop-Script FREE distributives which are available for free download have already been patched.
IMPORTANT ADDITION: Once you have patched your Shop-Script FREE installation, please log in to store backend, go to “General settings” screen and resave the settings (simply click “Save” button on this form), then go to “Appearence” screen and save this form the same way. This is required to get rid of any code injections that could be in your files in case someone already obtained access to your store before it was patched.
IMPORTANT ADDITION: Once you have patched your Shop-Script FREE installation, please log in to store backend, go to “General settings” screen and resave the settings (simply click “Save” button on this form), then go to “Appearence” screen and save this form the same way. This is required to get rid of any code injections that could be in your files in case someone already obtained access to your store before it was patched.
Comment by Vladimir V. Tuporshin — September 24, 2007 @ 5:17 am
does this also apply to premium versions?
Comment by Fred Dawli — October 3, 2007 @ 8:28 am
No. Only Shop-Script FREE.
Comment by Vladimir V. Tuporshin — October 3, 2007 @ 8:29 am
I just read this, unfortunately it’s too late for me… I found backdoor, trojans etc. And the index.php is always overwritten with a popunder javascript and the shop is unusable.:( I know there is no support for FREE users, but maybe you can give me a hint what should I try, or how can I save my database and reinstall shop-script to use with my old database. Unfortunately I’M not a programmer. Thanks for your help in advance.
Comment by Ursus — October 12, 2007 @ 3:46 pm
Dear Ursus, please send you request to our support team (www.shop-script.com/question.html) and we will try to help you sort your issue.
The most safe way to upgrade would be installing a new version of Shop-Script FREE. I believe it will be compatible with your template files and database structure, because we did not change FREE version much for the last time. Please mention all this when you write to support.
Also, next week we plan to release new web-service - WebAsyst Shopping Cart - http://www.webasyst.net/shop/ - it will allow you to create a powerful online store for free. Much more powerful than Shop-Script FREE (and even Shop-Script PREMIUM!). Maybe you will like this more than the FREE script.
Comment by Vladimir V. Tuporshin — October 13, 2007 @ 4:42 am
Dear Vladimir,
thanks for your help, we already bought the premium version. So hopefully we get rid of the hackers for good.
Best regards,
Ursus
Comment by Ursus — November 5, 2007 @ 1:46 am
Dear Ursus, if you experience any problems please contact our support team. However, I’m sure you will not have any difficulties.
Thank you.
Comment by Vladimir V. Tuporshin — November 5, 2007 @ 8:23 am