There is a massive vunerability in the admin section.

http://demos.creloaded.com/crecds/admin/orders.php/login.php?action=save%20HTTP/1.1&page=1&oID=1&action=edit

Login requirement is completely bypassed. This is present in oscommerce too, but you would think for the money I paid for this you guys could at least catch this one for me.

You MUST, MUST, MUST use basic auth on the admin section.

The oscommerce admin login is completely and utterly useless for security.

That is fixed here
http://www.creloaded.com/fdm_folder_fil ... fPath=0_69

and the newest version 6.4.0.a comes with that already in place

Just looking through the forum trying to keep patched, Since I am new to CRE, I Downloaded and installed the latest 6.04 B2B from the cre site within the last week or so. This should have this patch in it and the version.php claims it is 6.4.0.a. I did some checking to be sure and I noticed that the admin/includes/application_top.php in the Patch seems to differ from what is in the "already patched" full download release. I am wondering which is actually the correct file and what the differences between them actually mean.

I am looking at admin/includes/application_top.php

In the b2b patch downloaded files i see line 213 showing this
if ((basename($PHP_SELF) != 'sss_register.php') &&
(basename($PHP_SELF) != 'sss_validate.php') &&
(basename($PHP_SELF) != 'login.php')


In the b2b full 6.04 download line 213 reads
if ((basename($_SERVER['PHP_SELF']) != 'sss_register.php') &&
(basename($_SERVER['PHP_SELF']) != 'sss_validate.php') &&
(basename($_SERVER['PHP_SELF']) != 'login.php')

The version.php files in the patch and the full download are identical though.

What is the difference between these two lines. Which one of these correct or is there no difference?

the patch 6.4.0a is the one with the security fix

I confused

I just want to make sure I don't goof this up , so bear with me.


I downloaded "CRE_Loaded_PCI_B2B_v6.4.0.zip" (did this right now just to make sure it's the latest).

Extract the archive and then extract catalog.zip to see that

admin\includes\version.php is shows

define('INSTALLED_PATCH', '0.a');

and in admin\includes\application_top.php line 223 reads

if ((basename($_SERVER['PHP_SELF']) != 'sss_register.php') &&
(basename($_SERVER['PHP_SELF']) != 'sss_validate.php') &&
(basename($_SERVER['PHP_SELF']) != 'login.php')

I also downloaded CRE_Loaded_PCI_B2B_v6.4.0.a_Security_PHPSELF.zip
Inside the file the patch zip file admin\includes\version.php is shows

define('INSTALLED_PATCH', '0.a');

and in admin\includes\application_top.php line 223 reads

if ((basename($PHP_SELF) != 'sss_register.php') &&
(basename($PHP_SELF) != 'sss_validate.php') &&
(basename($PHP_SELF) != 'login.php')

Both the full download and the patch contain identical version.php's but the application_top.php files differ only at line 223.

The difference between the two application_top.php files being
basename($PHP_SELF) vs basename($_SERVER['PHP_SELF'])

If the patched zip is the correct one does this mean that the
the latest full download of b2b does not already include the fix?

The actual fix is replacing

with


in admin/includes/application_top.php. its also simple to do it your self.

You can also take extended measures to secure admin area like http://blog.wasimasif.com/hardening-pro ... dmin-area/

thanks