Thursday, October 1, 2009

CF Shopkart 5.4 exploit fix

There has been an exploit identified in the latest version in which a hacker can access your control panel. To fix this:

Open errorprocess.cfm and scroll down to the bottom of that file where you will see some HTML code for the friendly error message displayed on the page.

Copy all the HTML code and then paste it into a new file called error.cfm.
Where the HTML code was put CFLOCATION URL = "index.cfm?action=error" (surround it with <>).

Now open switches.cfm and add to the bottom just above the closing cfswitch tag just had a new CFCASE statement and set it to "error". The template to include will be your error.cfm file you just created.

Basically this will redirect the page when an error is generated and the hacker will not be able to see the information they are getting from the database.

Note: Not all sites are affected, but some who have certain widgets hidden will be, and you should take immediate action just in case. I am still working on an update to the latest version to further enhance security.