This is a security alert for all mambo-phpShop users. If you are still using mambo-phpShop at an older version than "mambo-phpShop 1.2-stable", your webshop is at a security risk.
Versions affected: mambo-phpShop 1.1 - 1.2 RC2.
Versions NOT affected: mambo-phpShop 1.2 stable (all patch levels).
Please note that VirtueMart is not affected by this security issue.
What's my mambo-phpShop version?
You can find out which version of mambo-phpShop you have installed by looking at the file /administrator/components/com_phpshop/version.php of your Mambo/Joomla installation.
Am I at risk?
The security hole can only be exploited if PHP on your server is running with "register_globals=on". You can check this setting in Mambo by either clicking on "System" => "Help" => "System Info", or "System" => "System Info".
How can I fix the problem quickly?
There's an easy fix for this problem:
Find the file /administrator/components/com_phpshop/toolbar.phpshop.html.php and add
right after the PHP bracket, so it looks like this:
Please note: If you can't access the file with your FTP program because you don't have permission to access the file, just install the component "joomlaXplorer" (Yes, it also works on Mambo >= 4.5!! - Download: http://forge.joomla.org/sf/frs/do/viewRelease/projects.joomlaxplorer/frs.joomlaxplorer.joomlaxplorer_1_4_0). With the help of this component you can edit the file from your Webshop's Backend.
If you have set up a store for a client using one of the affected mambo-phpShop versions and it's still not updated, please notify your client about this security risk.
This security issue is was first discovered by mambo-phpShop users on August 19 / 20 and is still not made public, so you have still time to fix your installation.
This is the forum topic where this issue can be discussed with other users: http://virtuemart.net/index.php?option=com_smf&Itemid=71&topic=21019.msg51818.