Urgent Security Alert: CRE LOADED 6.2 SQL Injection Exploit Detected and Contained

Share Article

Open-source software developers Chain Reaction Ecommerce reported the detection and containment of a potentially harmful security exploit in their award-winning osCommerce-based shopping cart application CRE Loaded. All CRE Loaded 6.2 users should upgrade immediately.

Open-source software developers Chain Reaction Ecommerce reported the detection and containment of a potentially harmful security exploit in their award-winning osCommerce-based shopping cart application CRE Loaded. All CRE Loaded 6.2 users should upgrade immediately.

CRE Forum member Thomas Spitznas identified the potential exploit in his CRE Loaded store and notified the CRE Development team of the security issue. After reviewing the code, CRE's developers found the exploit to be real. The team, led by CRE Loaded Senior Product Manager Charles Williams, Jr., immediately updated the core code and released Patch 13.1 to correct the issue. All existing CRE Loaded 6.2 store owners were notified of the security alert.

"There are more than 150,000 CRE Loaded 6.2 stores, and this exploit made them all vulnerable, so needless to say, we were very concerned when we were made aware of this matter," said Chain Reaction Ecommerce CEO Michael Valverde. "Leveraging the collective energy of our very active user/developer forums of more 9000 individuals, we were able to quickly identify the issue and take immediate corrective actions. This is further proof of the strength and benefits of open-source software and communities built around core products like CRE Loaded."

The Visual Verify Code value handling uses a non-standard method to determine the session ID in order to match the value presented to the value in memory for validation of a form. The handling of the session variable allowed a malicious user to pass variables to those pages that were then executed by the code in the page.

To resolve the issue, all CRE Loaded 6.2 users are urged to install Patch 13.1. Any new CRE Loaded download after January 31, 2008 has this fix in it already.

About Chain Reaction Ecommerce:
Founded in 2001, Chain Reaction Ecommerce makes the CRE Loaded ecommerce shopping cart and online store and the popular add-on content management tool; CRE Content Director System. With more than 150,000 CRE Loaded shopping cart applications in use, Chain Reaction Ecommerce offers its customers complete support and a host of ecommerce services, including CRE Merchant for credit card processing, CRE Secure for PCI compliance scanning, SSL, EVSSL and company background review and CRE Messenger for in-store sales and customer service chat. An aggressive software release schedule and partnerships with best-in-class ecommerce companies means CRE Loaded store owners will remain at the forefront of ecommerce well into the future.

###

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Michael Valverde
Visit website