Security Advisories

ITT: We share 0day security vulnerabilities in public software.

Me first.

OsCommerce Newsletters & Subscribers Osc Addon (Download Link: http://addons.oscommerce.com/info/8540)
Vulnerable code:

newsletters_subscribe.php line 16:
$subscribers_info = tep_db_query("select subscribers_id from " . TABLE_SUBSCRIBERS . " where subscribers_email_address = '" . $HTTP_POST_VARS['Email'] . "' ");

There are various other points in the code where POST input is not sanitized allowing SQL injection.

osCommerce is quite possibly the shittiest CMS I have ever had to work with.  One little error and the whole site goes down. Warnings everywhere is standard procedure. SQL injections out the ass.  Shit don't work.  And some German faggot named Harald Ponce de Leon is in charge of it all. 

I've had to rewrite tons of these contributions because most of them were either abandonware or written during the Dark Ages of PHP4.  If you do decide to contribute to osCommerce and post code, you'll have a ton of assholes selling crap to fatfuck America who want you to fix their site for free. 

PHP makes me drink and beat my girlfriend.  Hack away!