In association with heise online

21 November 2008, 11:05

Security update for xt:commerce Shop system

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers of the open source xt:commerce shop system have issued a security patch for Version 3.0.4 Sp2.1 in order to eliminate an SQL injection vulnerability in Shop. The vulnerability is reported to already have been actively exploited, in order to obtain access to webshop databases and obtain the administrator's login data and MD5 passport hash. Operators of webshops based on xt:commerce should therefore apply the patch as quickly as possible.

Since the patch is only available for 3.0.4 Sp2.1, the developers urgently recommend updating to this version. For an attack to be successful, search-engine friendly URLs (SEO URLs) must be configured in Shop and gpg_magic_quotes= on must be configured in php.ini, but these are the default settings in Debian and Ubuntu, for example.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit