Security update for cpCommerce shop software
Update 1.2.7, aimed at preventing a login without the valid login data, has been issued for the cpCommerce shop software. The problem is an error in _functions.php, which can be exploited to overwrite any PHP variables. Crafted HTTP requests can be used to acquire administrator rights and even run injected PHP.
The error has been discovered in version 1.2.6, but other versions may also be affected. Users should install the update as soon as possible, because an exploit that takes advantage of this vulnerability has already appeared on Milw0rm.
- Topic: v1.2.7 has been released!, cpcommerce announcement