VP-Cart Shopping Cart

Welcome, Guest ( Customer Panel | Login )

All Forums

VPCart Forum

Credit card fraud and hackers

VP-ASP Page hackable

New Topic

Reply to Topic

Printer Friendly

Author

Topic

imulus
Starting Member

19 Posts

Posted - November 21 2005 : 17:34:13

Running this will give you access to the admin, unbelieveable.... is there a patch for this specific hack?

<hack removed for security reasons>

bme
Starting Member

35 Posts

Posted - November 21 2005 : 21:16:42

Thanks for posting that so everyone knows how to now....

imulus
Starting Member

19 Posts

Posted - November 22 2005 : 08:31:48

No problem, we fixed the problem after a few hours of recoding the site but this certainly needs to be addressed ASAP.

apswater
VP-CART Super User

444 Posts

Posted - November 22 2005 : 14:13:33

I think you were missing a security patch, mine does not do that. I think that was the SQL Inject that was fixed some time back

support
Administrator

4679 Posts

Posted - November 22 2005 : 16:13:12

We have had a patch available for this on our security fixes page for quite a while.

Please ensure you have all of the patches installed - http://www.vpasp.com/sales/addons.asp

Also, visit http://www.vpasp.com/virtprog/info/faq_securityfixes.htm and make sure you have all of the relevent patches applied to your store.

VP-ASP Support

imulus
Starting Member

19 Posts

Posted - December 01 2005 : 10:35:20

What about this version on <page removed for security reasons>

<hack removed for security reasons>
(Please do not post hacks in this forum)

support
Administrator

4679 Posts

Posted - December 01 2005 : 15:02:04

If you can please go through the security fixes page you will find these have all been patched.

http://www.vpasp.com/sales/securitylogin.asp

The above was pateched over 2 years and only affects very early version of 5.00 and earlier releases.

Thank you
VPASP Support

howlegh
Starting Member

USA
2 Posts

Posted - January 18 2006 : 10:47:40

Hi,

The page that support refers to fixes the bug with <page removed for security reasons>. However, the first post on this thread refers to <page removed for security reasons>.

There is NO mention of any fixes for <page removed for security reasons> on the page http://www.vpasp.com/sales/securitylogin.asp (which refers me to: http://www.vpasp.com/helpnotes/shopexd.asp?id=810)

I too was recently hacked (I use version 4.50) by the exploit of <page removed for security reasons>.

I would like for a support guy to give me a fix for <page removed for security reasons>, not <page removed for security reasons>.

support
Administrator

4679 Posts

Posted - January 19 2006 : 00:43:29

<code removed for security reasons>

We have added the fix for these page to the security patch page at http://www.vpasp.com/virtprog/info/faq_securityfixes.htm.

Thank you
VP-ASP Support

howlegh
Starting Member

USA
2 Posts

Posted - January 19 2006 : 07:37:42

Hi,

Thanks, but I already had that fix in place. The hackers did not use CAT_ID. They exploited a different value. I won't post the hack here, but I will email vpasp support the link containing the sql injection string.

support
Administrator

4679 Posts

Posted - January 19 2006 : 21:44:49

This exploit was fixed in our SQL Injection fix package.

Please download and install this fix from http://www.vpasp.com/sales/addons.asp.

Regards,
VP-ASP Support

Topic

New Topic

Reply to Topic

Printer Friendly

Jump To:

Snitz Forums 2000

User Login

Business Ready

Open Source

Other Products

VP-Cart Premium Ecommerce Hosting

Hosting Plans

Useful Links

Dedicated Hosting

VP-Cart Download Center

VP-Cart Services

FAQ

VP-Cart Partners

PRODUCTS

UPGRADE VP-CART

HOSTING

RESELLERS

SERVICES

SUPPORT

FAQ

FEATURED SITES

DOWNLOADS

User Login

Your Cart

Business Ready

Open Source

Other Products

VP-Cart Premium Ecommerce Hosting

Hosting Plans

Useful Links

Dedicated Hosting

VP-Cart Download Center

VP-Cart Services

FAQ

VP-Cart Partners