IMPORTANT required security patch for 6.2 CRE Loaded B2B White Label  sites.

A vulnerability that allows access to admin files due to an error in PHP handling of urls. Effects all CRE Loaded and oscommerce shopping carts. All users should upgrade to most recent 6.2.14.

The zip file contains three files

• admin/includes/application_top.php
• admin/includes/version.php
• includes/version.php

To update your site just unzip the package and upload and replace the files on your 6.2 site.

If you have an older CRE Loaded installation we strongly encourage you to upgrade to 6.2.14 immediately.

The issue fixed by the security patch:

There is logic in the application top to check to see if the session has an admin logged in. If not, then a check is done of the page being accessed to see if it is the login.php or the password_forgotten.php. If it is one of these pages, access is allowed. Otherwise, then code forces a redirect to the login.php page.

The issue is the PHP_SELF variable set by PHP. It is used along with function basename to check to see what page is being accessed. The official PHP document even says “The filename of the currently executing script, relative to the document root.” However, this is not exactly correct.

In the case of a crafted URL of the form domain.com/customers.php/password_forgotten.php Apache looks at the information directly after the domain and attempts to execute the file. PHP appears to be taking the entire URL and assumes it points to the script executing. The basename will then strict off the password_forgotten.php which is used in the comparison which succeeds and thereby allows execution to continue.

The correction is to use a variable set by Apache to ensure the script executing is really the same as the script name reported. The Apache variable is stored the server array as SCRIPT_NAME. Since Apache control the execution, it makes good sense to use the its variable setting instead of PHP variable setting. So in the case of the above crafted URL, the variable now reports customer.php. Therefore the bypass check fails and the person is redirected to the login.php page.

Donwload the update from http://www.creloaded.com/fdm_folder_files.php?fPath=0_69