VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-ASP Shopping Cart Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 Credit card fraud and hackers
 VP-ASP Page hackable
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

imulus
Starting Member

19 Posts

Posted - November 21 2005 :  17:34:13  Show Profile  Visit imulus's Homepage  Reply with Quote
Running this will give you access to the admin, unbelieveable.... is there a patch for this specific hack?

<hack removed for security reasons>

bme
Starting Member

35 Posts

Posted - November 21 2005 :  21:16:42  Show Profile  Reply with Quote
Thanks for posting that so everyone knows how to now....

Go to Top of Page

imulus
Starting Member

19 Posts

Posted - November 22 2005 :  08:31:48  Show Profile  Visit imulus's Homepage  Reply with Quote
No problem, we fixed the problem after a few hours of recoding the site but this certainly needs to be addressed ASAP.

Go to Top of Page

apswater
VP-ASP Super User

317 Posts

Posted - November 22 2005 :  14:13:33  Show Profile  Visit apswater's Homepage  Reply with Quote
I think you were missing a security patch, mine does not do that. I think that was the SQL Inject that was fixed some time back

Go to Top of Page

support
Administrator

4266 Posts

Posted - November 22 2005 :  16:13:12  Show Profile  Visit support's Homepage  Reply with Quote
We have had a patch available for this on our security fixes page for quite a while.

Please ensure you have all of the patches installed - http://www.vpasp.com/sales/addons.asp

Also, visit http://www.vpasp.com/virtprog/info/faq_securityfixes.htm and make sure you have all of the relevent patches applied to your store.

VP-ASP Support

Go to Top of Page

imulus
Starting Member

19 Posts

Posted - December 01 2005 :  10:35:20  Show Profile  Visit imulus's Homepage  Reply with Quote
What about this version on <page removed for security reasons>

<hack removed for security reasons>
(Please do not post hacks in this forum)

Go to Top of Page

support
Administrator

4266 Posts

Posted - December 01 2005 :  15:02:04  Show Profile  Visit support's Homepage  Reply with Quote
If you can please go through the security fixes page you will find these have all been patched.

http://www.vpasp.com/sales/securitylogin.asp

The above was pateched over 2 years and only affects very early version of 5.00 and earlier releases.

Thank you
VPASP Support

Go to Top of Page

howlegh
Starting Member

USA
2 Posts

Posted - January 18 2006 :  10:47:40  Show Profile  Reply with Quote
Hi,

The page that support refers to fixes the bug with <page removed for security reasons>. However, the first post on this thread refers to <page removed for security reasons>.

There is NO mention of any fixes for <page removed for security reasons> on the page http://www.vpasp.com/sales/securitylogin.asp (which refers me to: http://www.vpasp.com/helpnotes/shopexd.asp?id=810)

I too was recently hacked (I use version 4.50) by the exploit of <page removed for security reasons>.

I would like for a support guy to give me a fix for <page removed for security reasons>, not <page removed for security reasons>.
Go to Top of Page

support
Administrator

4266 Posts

Posted - January 19 2006 :  00:43:29  Show Profile  Visit support's Homepage  Reply with Quote
<code removed for security reasons>

We have added the fix for these page to the security patch page at http://www.vpasp.com/virtprog/info/faq_securityfixes.htm.

Thank you
VP-ASP Support
Go to Top of Page

howlegh
Starting Member

USA
2 Posts

Posted - January 19 2006 :  07:37:42  Show Profile  Reply with Quote
Hi,

Thanks, but I already had that fix in place. The hackers did not use CAT_ID. They exploited a different value. I won't post the hack here, but I will email vpasp support the link containing the sql injection string.
Go to Top of Page

support
Administrator

4266 Posts

Posted - January 19 2006 :  21:44:49  Show Profile  Visit support's Homepage  Reply with Quote
This exploit was fixed in our SQL Injection fix package.

Please download and install this fix from http://www.vpasp.com/sales/addons.asp.

Regards,
VP-ASP Support
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000