It has recently come to our attention that an exploit in PHP on Apache servers may be accessible through SunShop's scripts. Because of this recent finding, we had built in prevention into SunShop 4.3.6 which will be released next week. Today it was discovered that this exploit has been used on a few customers sites in the last week. Because of this, we are issuing an immediate repack of SunShop 4.3.5 to prevent this problem from occurring any further. It is important to note that if you are NOT running SunShop on an Apache server in a Linux/Unix environment then you will not be affected by this problem. Unfortunately though, most hosting companies do host on Linux/Unix based servers. Please see below for information on how to patch this issue.
Running SunShop 4.3.5: If you are currently running SunShop 4.3.5, simply login to the TWT account area and re download SunShop 4.3.5 and replace the /libsecure.php and the /admin/libsecure.php.
Running SunShop 4.3.4 & Lower: If you are running an older version of SunShop, it is recommended that you upgrade immediately to SunShop 4.3.5. If you cannot upgrade due to extensive customizations, open a ticket below and we will see if we can provide you with patched libsecure.php files for your version if they are available. In some cases the older libsecure.php files will not be available and we will attempt to patch your current version.
*Note* If you choose to have a professional upgrade to version 4.3.5, we will perform a free upgrade to 4.3.6 when it becomes available next week at your request.
Help From TWT
If you are currently running SunShop 4.3.5 and would like us to replace the files for you, please open a new ticket using the link below and provide your FTP information. We will perform the file replacement for you at that point.
Thursday, February 7, 2013