Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Sorry, you was hacked - CSCart Demo Pro Rate Topic   - - - - -

 
  • The Tool
  • Been Here Way Too Long Member
  • Members
  • Join Date: 30-Mar 07
  • 3866 posts

Posted 27 July 2012 - 01:40 AM #1

http://demo.cs-cart....essional/?sl=EN

 

Posted 27 July 2012 - 01:44 AM #2

First one that smelt it, dealt it.
I've moved on from CS-Cart to WooC******** - If you need anything I can be of little help.

 
  • solesurvivor
  • Senior Member
  • Members
  • Join Date: 05-Aug 11
  • 745 posts

Posted 27 July 2012 - 02:27 AM #3

I hope this doesn't mean cs cart 3 is exploited.

 
  • The Tool
  • Been Here Way Too Long Member
  • Members
  • Join Date: 30-Mar 07
  • 3866 posts

Posted 27 July 2012 - 03:43 AM #4

First one that smelt it, dealt it.


Funny thing is I was going to check your issue/bug report on the demo but... :P

 
  • parodius420
  • Senior Member
  • Members
  • Join Date: 03-Dec 11
  • 611 posts

Posted 27 July 2012 - 06:33 AM #5

was prob pretty easy with access to the admin area accessible

 
  • kmolchanov
  • CS-Cart team
  • Join Date: 06-May 11
  • 1313 posts

Posted 27 July 2012 - 08:00 AM #6

Hello guys!

was prob pretty easy with access to the admin area accessible

You are absolutely right (did YOU do it??).

Although we are still investigating the issue, it is clear that someone used the "Upload files" feature in a 3rd party file browser we added to CS-Cart 3.0.2. Unfortunately, we forgot to disable this feature on our demo website. It seems it would be better to disable the feature completely in CS-Cart software, because anyone who has the access to your CS-Cart admin panel (including vendors existing in CS-Cart 3.0.2 Multi-Vendor Edition!) can do the same 'trick'.

We will publish a solution to block the upload files feature in CS-Cart 3.0.2 as soon as possible.

Konstantin Molchanov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug


 
  • kmolchanov
  • CS-Cart team
  • Join Date: 06-May 11
  • 1313 posts

Posted 27 July 2012 - 12:47 PM #7

Important update

We have accurately investigated the vulnerability and have come to the conclusion that vendors in CS-Cart Multi-Vendor Edition are not capable of exploiting stores the way our demo stores have been today.

Our demo stores are back online, the consequences of today's exploit have been cleared up. We thank you for patience.

Konstantin Molchanov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug


 
  • clips
  • Aged Resident Loon
  • Members
  • Join Date: 14-Jan 07
  • 1650 posts

Posted 28 July 2012 - 04:17 PM #8

So are you going to release a fix for this exploit so others do not have the same issue?
Regards,
Jim

 

Posted 28 July 2012 - 04:54 PM #9

So are you going to release a fix for this exploit so others do not have the same issue?


It's not an exploit, rather public access to the attachments module allowed someone from the general public to upload a malicious file.
I've moved on from CS-Cart to WooC******** - If you need anything I can be of little help.

 
  • brandonvd
  • is Super Awesome
  • Members
  • Join Date: 19-Dec 06
  • 2633 posts

Posted 28 July 2012 - 05:01 PM #10

Jim,

It was through the demo admin. Basically someone used that to upload a malicious file. As long as your admin isn't open to the public to upload random files, you should be all set.

Just don't put your admin info on Facebook and Twitter and you should be good to go.

Thanks,

Brandon

 
  • clips
  • Aged Resident Loon
  • Members
  • Join Date: 14-Jan 07
  • 1650 posts

Posted 28 July 2012 - 05:37 PM #11

Got ya. It's been at least 2 months since I posted our admin to the public so we should be okay. :grin:
Regards,
Jim