This is a security alert for all mambo-phpShop users. If you are still using mambo-phpShop at an older version than "mambo-phpShop 1.2-stable", your webshop is at a security risk.

Versions affected: mambo-phpShop 1.1 - 1.2 RC2.
Versions NOT affected: mambo-phpShop 1.2 stable (all patch levels).

Please note that VirtueMart is not affected by this security issue.

What's my mambo-phpShop version? 

You can find out which version of mambo-phpShop you have installed by looking at the file /administrator/components/com_phpshop/version.php of your Mambo/Joomla installation.


Am I at risk?

The security hole  can only be exploited if PHP on your server is running with "register_globals=on". You can check this setting in Mambo by either clicking on "System" => "Help" => "System Info", or "System" => "System Info".

How can I fix the problem quickly?

There's an easy fix for this problem:

Find the file /administrator/components/com_phpshop/toolbar.phpshop.html.php and add

defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );

right after the PHP bracket, so it looks like this:

defined ( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
/** ....

Please note: If you can't access the file with your FTP program because you don't have permission to access the file, just install the component "joomlaXplorer" (Yes, it also works on Mambo >= 4.5!! - Download: With the help of this component you can edit the file from your Webshop's Backend.

If you have set up a store for a client using one of the affected mambo-phpShop versions and it's still not updated, please notify your client about this security risk.

This security issue is was first discovered by mambo-phpShop users on August 19 / 20 and is still not made public, so you have still time to fix your installation.

This is the forum topic where this issue can be discussed with other users:


#2 Tim1111111 2006-08-31 16:16
yeah right...hacked already..... so it is a bit public at least
Report to administrator
#1 kris 2006-08-30 03:00
Hi, thanks for this info. So the first lines of code should be like this:
Report to administrator

Add comment

Security code