I tried it on local osCommerce installation and it worked like a magic. In screen shot below, you can see configuration of a store. Just by changing URL other configurations can also be seen.

Similarly any one can see orders placed, information of single order, customer email, customer name and other information. The issue still exists in latest version of osCommerce v2.2 RC2a (as seen in screen shot above).

The issue is also found in CRE Loaded PCI Pro 6.4, so it should also exist in all older versions as well. Below is screen shot for CRE Loaded site, where orders information is visible.

Its also possible to see single order details with customer name, address, email, payment information etc.

The issue is fixed in CRE Loaded 6.4.1 version, which is latest version at the moment. This means any one using older version must take measures quickly, or they will remain open to hackers and information theft.

I am not writing the actual method to get into admin area, as doing it will make it public, and will create high risk for so many osCommerce, CRE Loaded sites.

Immediate fix for this serious security issue is simple one.

Fix for osCommerce and CRE Loaded 6.2 and older

1. Backup admin/includes/application_top.php in case something goes wrong
2. Open file admin/includes/application_top.php in some php or text editor.
3. Find line
   $PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);
4. Replace the first occurrence of the line with this
   $PHP_SELF = $HTTP_SERVER_VARS['SCRIPT_NAME'];
5. For CRE, find line
   $PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);
   remove it or replace it with above line
6. Save the file

Fix for CRE Loaded 6.3 and 6.4.0

1. Backup admin/includes/application_top.php in case something goes wrong
2. Open file admin/includes/application_top.php in some php or text editor.
3. Find line
   $PHP_SELF = (isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME']);
4. Replace the line with this
   $PHP_SELF = $_SERVER['SCRIPT_NAME'];
5. Save the file

It is highly recommended to follow guidelines mentioned in http://www.infotales.com/hardening-protecting-cre-loaded-admin-area/. Following these guidelines will further secure admin area from hackers attack.

What I found out that issue was due to a configuration which does not cater the discount coupon amount. One configuration called “Shopping Cart Method” was set to “Itemized”. This setting shows item wise detail on PayPal checkout page. As discount coupons are applied on an order not on any particular item, so the total amount charged is without discount.

When the option was set to “Aggregate” mode the issue resolved. This does not show much detail for items purchased, on PayPal page but shows the correct amount to charge. So this works for me.

So if you want to do the same, login to your admin area and go to Modules > Payment and select the PayPal module. Now click on Edit button and find Shopping Cart Method and select “Aggregate” option. Click “update” button to save this change. The should be gone.

I have tried this on CRE Loaded pro 6.2 but it should also work for other version of CRE Loaded and OSCommerce as well.

For more updates and fix in CRE Loaded keep visiting CRE Loaded section on my blog.

To enable this tracking your need to login to your GA account and goto Analytics Settings > Profile Settings > Edit Profile Information. Under Site Search select Do Track Site Search. Now you need to tell what parameter contains the search term. As internal search is provided on this page advanced_search_result.php?keywords=test, here we have to track keywords parameter. So put keywords in Query Parameter (required): field.

This will enable tracking for searches performed on your site. Many useful reports are provided by GA telling for example what people are searching and many other things.

CRE Loaded team has done good job to make this area secure by use of encrypted passwords, https access etc. Recent 6.4.1 release includes password hardening task to further enhance security. Still there is a lot, which you can do to protect admin area.

In this post I will list few guidelines to enhance admin area protection. The post also includes basic methods to apply these guidelines.

So here are the guidelines.

1. Don’t use default http://mycresite.com/admin/ structure
2. Use password protected directories
3. Restrict access to specific IPs only
4. Use secure user names and passwords

1. Don’t use default http://mycresite.com/admin/ structure

In default installation admin area is installed in /admin/ folder and accessible from http://mycresite.com/admin/ URL. As this default location is publicly known hackers can easy launch attempts to break in.

To avoid this issue it is strongly recommended that you don’t install and use admin are on default location. With little effort you can change this location by

• Rename admin folder: One simple way is to rename admin folder to some different name which is not easy to guess. For example 234admin80907. You will need to update this folder path in {new_admin_folder}/includes/configure.php. You will need to update following configurations
  1. DIR_WS_HTTP_ADMIN
  2. DIR_WS_HTTPS_ADMIN
  3. DIR_FS_ADMIN
• Install on different domain: Admin area is completely independent from rest of the site so it can be installed on completely different domain or sub domain. This way makes its location more sure and non guessable.
  To do this move /admin/ folder (or whatever you renamed it to) on separate location (e.g public_html/admin/), and point your separate domain or sub domain to this folder. Using a sub domain is easier than complete new domain as many sub domains are allowed under same hosting.
  Please use non guessable domain or sub domain to make is more secure.
  You will need to update these changes in includes/configure.php of this folder. You will need to change following configurations
  • HTTP_SERVER
  • HTTPS_ADMIN_SERVER
  • DIR_WS_HTTP_ADMIN
  • DIR_WS_HTTPS_ADMIN
  • DIR_FS_ADMIN

  Note: For sub domain you may need high level SSL certificate which can work on main and sub domain without error.

2. Use password protected directories

Always protect your admin folder with additional password. Most of the hosting packages include feature to make some directories password protected from there control panel. This user name and password will be asked by browser even before the login page is displayed so this can be a good weapon to protect your admin area.

3. Restrict access to specific IPs only

You can also restrict access to admin area from specific IPs only easily. By this admin area will only be accessible from specified IPs only. For this you will need to edit .htaccess file under admin/ folder.
To do this download admin/.htaccess file and open it with some text editor. Put following code in .htaccess file

Order Deny,Allow
Deny from all
Allow from 100.100.100.100, 100.100.100.101


and uploaded.

Here 100.100.100.100 is example ips put your list of comma separated IPs. The code tells server to block all requests unless they are from specified IPs.

4. Use secure user names and passwords

No matter if it is password of admin area or password protected directories, use user names and passwords which are not easily guessable. Do not very user names like admin, administrator etc. A good password should mix alphabets, numbers, special characters etc to avoid easy brute force attacks.

This payment module sends middle digits of CC and CVV code in an email to admin. Due to the bug this CVV code value was missing.

To fix the issue open file includes/modules/payment/cc_uk.php in editor and find line

$this->cc_issue = (isset($_POST['cc_issue'])) ? $_POST['cc_issue'] : '';

after this line add line

$this->cc_ccv = (isset($_POST['cc_ccv'])) ? $_POST['cc_ccv'] : '';

and you are done. Save the file and test.

Please be sure to backup your file before editing.

• Admin log in as customer
• Several PayPal payment modules
  
• Admin Password hardening to satisfy PCI PA-DSS requirements 8.5.10 and 8.5.11
• etc

Right now I did not get chance to look at new release, will get back as soon as I get chance to see.

I have been studying and applying performance guidelines for a while. Recent addition of Site Performance stats in Google Webmaster Tools have motivated me to run a full optimization cycle on CRE Loaded.

A number of performance tweaks were applied over a time, like cache, gzip compression, image cache etc. Still few things were missing like proper use of browser cache, http requests, css gzip etc.

Now following are results from performance measuring tools
YSlow

Page Speed

WebPageTest.org

Detailed test results can be seen at http://www.webpagetest.org/result/091228_3WME/

If you want your site to perform as good as A grade site you can contact me by posting a comment for free advice.

I found this in cre loaded Pro 6.4.0, but when confirmed it exists in Community edition as well. I guess this issue may exist on other pages like “new products page”.

The manufacturer name can be turned on from Admin > Configuration > Product Listing > Display Product Manufacturer Name.

If you are using SEO URLs addon this bug can cause you a lot because it will generate unwanted link to your home page.

There are two ways of fixing the issue, one is to wait for fix release of which was expected in August but still not here, i am not sure if this bug will be fixed or not. Second fix is simple one, and can be found at Product listing bug fix in CRE Loaded.

The contribution is called osC Advanced Cache Class. The contribution will enable us to cache just about every thing like large arrays, data, html, even executable PHP code. More details of the contribution can be found here.

Here we will only install this contribution on cre loaded 6.4 we will use it later some where. For the possible uses please see contribution home page, referred above.

We will be installing it on Pro version and I hope the process will be same for other cre loaded versions. We will use Runtime Code Inclusion (RCI) feature of Cre loaded, to minimize chances of losing our changes during future upgrades. For RCI details refer to cre loaded.

Step One: downloading the contribution

Download the contribution from this page and extract it to some folder. The code includes an install script but please don’t use it as it is made for oscommerce not cre loaded.

Step Two: Adding class file

Copy osC-Cache/osC-Cache/upload/includes/classes/cache.class.php file to your installation of your cre loaded. The file should be copied to /includes/classes/ folder of your installation.

Step Three: Database Changes

You will need to add a new table in you database. Create a new table by executing the following query.

CREATE TABLE cache (
cache_id varchar(32) NOT NULL default '',
cache_language_id tinyint(1) NOT NULL default '0',
cache_name varchar(255) NOT NULL default '',
cache_data mediumtext NOT NULL,
cache_global tinyint(1) NOT NULL default '1',
cache_gzip tinyint(1) NOT NULL default '1',
cache_method varchar(20) NOT NULL default 'RETURN',
cache_date datetime NOT NULL default '0000-00-00 00:00:00',
cache_expires datetime NOT NULL default '0000-00-00 00:00:00',
PRIMARY KEY (cache_id,cache_language_id),
KEY cache_id (cache_id),
KEY cache_language_id (cache_language_id),
KEY cache_global (cache_global)
) TYPE=MyISAM;

Step Four: Implement cache class using RCI

Now create a new empty file named cache_applicationtop_bottom.php in folder includes/runtime/applicationtop/ of your cre loaded installation. Now open the new file and put following code in the file cache_applicationtop_bottom.php

<?php
global $cache, $languages_id;
# include the cache class
include(DIR_WS_CLASSES . ‘cache.class.php’);
$cache = new cache($languages_id,true);
# Get the cache – no parameters will get all GLOBAL cache entries for this language
$cache->get_cache(‘GLOBAL’);
?>

After saving the file try browsing your site, if you have done all steps properly you should not have any problems with it. If you see any problem like blank page is displayed or any thing else please make sure that you followed all steps properly.

May be in some other post we will see how we can use this cache contribution with cre loaded and get maximum advantages of cache.

To fix the issue open file specials.php and find line case 'PRODUCT_LIST_MANUFACTURER':. In line next to it add p.manufacturers_id, after m.manufacturers_name,. This will add manufacturers_id column in selection list. Save the file and test.

You can do same thing in files products_new.php and featured_products.php. Keep following CRE Loaded category to stay updated.