Skip to main content

Mass Injection Attacks Targeting osCommerce Vulnerabilities

Last Update Date: 12 Aug 2011 Release Date: 2 Aug 2011 8117 Views

RISK: High Risk

TYPE: Attacks - Other

TYPE: Other

Multiple vulnerabilities have been identified in osCommerce application, which can be exploited by hackers to inject malicious content in vulnerable osCommerce websites.


A large scale injection attack targeting osCommerce websites is reported.  Injected "<iframe>" and "<script>" pointing to malicious links will infect computers via various exploits.  This attack leverages several osCommerce vulnerabilities including

  • osCommerce Remote Edit Site Info Vulnerability [disclosed 10 July 2011]
  • osCommerce 2.3.1 (banner_manager.php) Remote File Upload Vulnerability [disclosed 14 May 2011]
  • osCommerce Online Merchant v2.2 File Disclosure And Admin ByPass Vulnerability [disclosed 30 May 2010]


  • Remote Code Execution

System / Technologies affected

  • osCommerce Online Merchant v2.x
  • osCommerce Online Merchant v3.x


For web administrators,

  • Detection
    1. Under the following circumstances, your servers may have been injected / infected
      • Search server logs for
        • access from IPs: , , ,
        • and access with agent string:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)
      • Search your site for the existence of <iframe> or <script> tags with links pointing to
        • hxxp :// willysy . com / images / banners /
        • hxxp :// exero . eu / catalog / jquery . js
        • hxxp :// tiasissi . com . br / revendedores / jquery /
        • hxxp :// adorabletots . co . uk / tmp / js . php
        • This list may change as attacks alter their malware hosting.  Please inform us if you find other suspicious scripts.
  • Recovery
    1. Find and remove the infected backdoors
    2. Find and remove the injected iframes / scripts


For end-users,

  • Maintain security patch and security software updated, turning on personal firewall, and staying cautious.
  • Beware of security warnings from browsers or security software.  Do not visit any unsolicited websites or disable Javascript in browsers.

Vulnerability Identifier

  • No CVE information is available


Related Link