Critical patch: Remote PHP execution vulnerability for versions 2.2.2 and prior
We were notified on 5/15 of a vulnerability which affects all Squirrelcart versions up to 2.2.2. The vulnerability can cause your server to execute arbitrary PHP code contained in remote files.
Your installation is vulnerable if your server is configured to support including files via URLs. This is a common configuration, so we recommend that
you apply the patch for this as soon as possible. It is available on our Downloads page, in the "Add-ons and Updates" section. Instructions for applying the patch are in the "read_me.txt" file inside the zip file.
This is a preliminary patch to protect against this known vulnerability as it has been reported. We will be issuing a more comprehensive update in the next few days that will protect against any possible similar attacks.
While it is difficult to say with 100% certainty what a malicious person may attempt to do by exploiting this vulnerability, here are some things you should watch out for, and some general security advice:
1. If you have any doubt at all as to whether or not your installation may have been compromised, change your Squirrelcart admin username and password. This is always a good idea.
2. We have seen symptoms similar to those posted here on an affected installation:
http://forums.asmallorange.com/lofiv...php/t5815.html
3. You should not have ANY php files in any folders inside your "sc_images" folder. This is the default folder that contains your Squirrelcart images (which can be changed to a different name using the config.php file). If you find PHP files inside this folder or any of it's subfolders, you should remove them.
4. On the affected installation, we found ".htaccess" files inside the "sc_images" folder that did not belong there. If you find any of these files inside "sc_images" or it's sub folders, remove them.
If you need assistance regarding this, please contact us using our helpdesk:
http://www.ldev.com/helpdesk/
