Security update for xt:commerce Shop system
The developers of the open source xt:commerce shop system have issued a security patch for Version 3.0.4 Sp2.1 in order to eliminate an SQL injection vulnerability in Shop. The vulnerability is reported to already have been actively exploited, in order to obtain access to webshop databases and obtain the administrator's login data and MD5 passport hash. Operators of webshops based on xt:commerce should therefore apply the patch as quickly as possible.
Since the patch is only available for 3.0.4 Sp2.1, the developers urgently recommend updating to this version. For an attack to be successful, search-engine friendly URLs (SEO URLs) must be configured in Shop and gpg_magic_quotes= on must be configured in php.ini, but these are the default settings in Debian and Ubuntu, for example.
- Security patch for Version 3.0.4 Sp2.1, German announcement by xt:commerce