If your shop is running on a CRE Loaded platform, you should know that there is a security exploit reported: using a simple trick as a URL change allows any malicious user to access protected pages in the admin area without an admin password!
It’s been reported that all  CRE Loaded versions before 6.4.0a are exploitable.

In order to check if you are among the ones affected, change the URL /admin/login.php to admin/orders.php/login.php. If you can see your order histories, here is the security fix:

• Edit the admin/includes/application_top.php file

• Find the line:

$PHP_SELF = (isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] :
$_SERVER['SCRIPT_NAME']);

• Depending on your CRE Loaded version, the line above may also look like:

$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);

• Replace it with this:

$PHP_SELF = $_SERVER['SCRIPT_NAME'];

Done.

PS: CREHelp.com will charge you $40 for this

Related Posts

• No Related Post