OSCommerce Admin Mail Hack
OSCommerce v2.2 RC2a has a vulnerability which allows hackers to use your website and customer database to send YOUR customers SPAM advertising email. Previous versions of OSC didn't have any login for administrators:
...so it was obvious you had to protect the admin folder to stop anyone at all from getting in and making money off your website.
The current version makes you feel safe and that's a bad thing. It's not safe from hackers that know what they're doing and it's possible
to do just about any admin function. Once they've uploaded a PHP file to your /images directory they can do anything with your website.
Or they can use the Newsletter manager to send whatever message they like to any and all of your customers, but you'll get
the blame because the email will appear to have been sent by you.
What Should I do?
The exploit cannot be run on sites where the admin directory is password protected. If you use your Webserver Control Panel to set up username/password (Basic Authentication) on the admin directory, you can get your browser to remember the username and password for you so it's not onerous logging in, but you'll be safe from further exploits using this method.
If you're looking for an OSCommerce expert that can listen to your problems and provide solutions, just contact us (standard disclaimer: not for free though)
This OSCommerce site does a lot of business. We helped improve its telephone ordering system as well as providing custom modifications and technical advice.