Author |
Topic |
|
imulus
Starting Member
19 Posts |
Posted - November 21 2005 : 17:34:13
|
Running this will give you access to the admin, unbelieveable.... is there a patch for this specific hack?
<hack removed for security reasons> |
|
bme
Starting Member
35 Posts |
Posted - November 21 2005 : 21:16:42
|
Thanks for posting that so everyone knows how to now....
|
|
|
imulus
Starting Member
19 Posts |
Posted - November 22 2005 : 08:31:48
|
No problem, we fixed the problem after a few hours of recoding the site but this certainly needs to be addressed ASAP.
|
|
|
apswater
VP-CART Super User
444 Posts |
Posted - November 22 2005 : 14:13:33
|
I think you were missing a security patch, mine does not do that. I think that was the SQL Inject that was fixed some time back
|
|
|
support
Administrator
4679 Posts |
|
imulus
Starting Member
19 Posts |
Posted - December 01 2005 : 10:35:20
|
What about this version on <page removed for security reasons>
<hack removed for security reasons> (Please do not post hacks in this forum)
|
|
|
support
Administrator
4679 Posts |
Posted - December 01 2005 : 15:02:04
|
If you can please go through the security fixes page you will find these have all been patched.
http://www.vpasp.com/sales/securitylogin.asp
The above was pateched over 2 years and only affects very early version of 5.00 and earlier releases.
Thank you VPASP Support
|
|
|
howlegh
Starting Member
USA
2 Posts |
Posted - January 18 2006 : 10:47:40
|
Hi,
The page that support refers to fixes the bug with <page removed for security reasons>. However, the first post on this thread refers to <page removed for security reasons>.
There is NO mention of any fixes for <page removed for security reasons> on the page http://www.vpasp.com/sales/securitylogin.asp (which refers me to: http://www.vpasp.com/helpnotes/shopexd.asp?id=810)
I too was recently hacked (I use version 4.50) by the exploit of <page removed for security reasons>.
I would like for a support guy to give me a fix for <page removed for security reasons>, not <page removed for security reasons>. |
|
|
support
Administrator
4679 Posts |
|
howlegh
Starting Member
USA
2 Posts |
Posted - January 19 2006 : 07:37:42
|
Hi,
Thanks, but I already had that fix in place. The hackers did not use CAT_ID. They exploited a different value. I won't post the hack here, but I will email vpasp support the link containing the sql injection string. |
|
|
support
Administrator
4679 Posts |
Posted - January 19 2006 : 21:44:49
|
This exploit was fixed in our SQL Injection fix package.
Please download and install this fix from http://www.vpasp.com/sales/addons.asp.
Regards, VP-ASP Support |
|
|
|
Topic |
|