Sorry, you was hacked - CSCart Demo Pro

First one that smelt it, dealt it.

I hope this doesn't mean cs cart 3 is exploited.

[quote name=‘JesseLeeStringer’ timestamp=‘1343353485’ post=‘141561’]

First one that smelt it, dealt it.

[/quote]



Funny thing is I was going to check your issue/bug report on the demo but… :P

was prob pretty easy with access to the admin area accessible

Hello guys!

[quote name='parodius420' timestamp='1343370796' post='141579']

was prob pretty easy with access to the admin area accessible

[/quote]

You are absolutely right (did YOU do it??).



Although we are still investigating the issue, it is clear that someone used the “Upload files” feature in a 3rd party file browser we added to CS-Cart 3.0.2. Unfortunately, we forgot to disable this feature on our demo website. It seems it would be better to disable the feature completely in CS-Cart software, because anyone who has the access to your CS-Cart admin panel (including vendors existing in CS-Cart 3.0.2 Multi-Vendor Edition!) can do the same 'trick'.



We will publish a solution to block the upload files feature in CS-Cart 3.0.2 as soon as possible.

Important update



We have accurately investigated the vulnerability and have come to the conclusion that vendors in CS-Cart Multi-Vendor Edition are not capable of exploiting stores the way our demo stores have been today.



Our demo stores are back online, the consequences of today's exploit have been cleared up. We thank you for patience.

So are you going to release a fix for this exploit so others do not have the same issue?

[quote name='clips' timestamp='1343492272' post='141730']

So are you going to release a fix for this exploit so others do not have the same issue?

[/quote]



It's not an exploit, rather public access to the attachments module allowed someone from the general public to upload a malicious file.

Jim,



It was through the demo admin. Basically someone used that to upload a malicious file. As long as your admin isn't open to the public to upload random files, you should be all set.



Just don't put your admin info on Facebook and Twitter and you should be good to go.



Thanks,



Brandon

Got ya. It’s been at least 2 months since I posted our admin to the public so we should be okay. :grin: