As probably most of you know, osCommerce is a shopping cart application for creating and managing online stores. It is very widely used and has many implementations and variations. Many popular shopping cart applications like OscMax, ZenCart, CreLoaded, etc. are actually based on osCommerce and use its code.
Unfortunately, for quite a while now, there has been a known vulnerability in the osCommerce code and the code of the applications based on it through which a hacker can exploit the admin area and take malicious actions. Although on the osCommerce official website there is some information how the problem can be avoided (http://svn.oscommerce.com/jira/browse/OSC-1069), the vulnerability has not been fixed yet in the latest osCommerce release and with each new download and installation of a related shopping cart software, new people and online stores become potential targets.
When there is a vulnerability in such a popular application and many sites are at risk, we at SiteGround do not believe in the approach: “let each user find and apply the bug fix him/herself”. First, most of the users understand about the issue only after they are already affected. Second, many of them are unable to apply the fix themselves. To protect our customers from hacker attacks, some of our best technical experts investigated the problem in details and applied a global solution to all potentially vulnerable customers’ applications.
The results from our osCommerce patch operation are:
- the osCommerce package available for installation through Fantastico has been patched so that the new installations are not vulnerable to the exploit;
- all future transfer clients with osCommerce-based websites will get the vulnerability fix as part of the website transfer service we provide;
We are proud that once again SiteGround has provided a security service high above the standard level for a shared hosting company. Our knowledge and reaction in situations like these make us believe that we do provide the best osCommerce hosting.
Product Development – Technical