Potential Hack

Overview Features Hosting, Design, Development Support Download

Aug 1 2019

Potential Hack

FTP into your site and take a look at shopping/checkout/act_save_order.cfm. Scroll down until you see the query that INSERTS into Order_no. The line number will depend on your version.

INSERT INTO #Request.DB_Prefix#Order_No

Now look for:

<cfqueryparam cfsqltype="cf_sql_varchar" value="#attributes.cvv2##attributes.cardnumber#">,

This line should be:

<cfqueryparam cfsqltype="cf_sql_varchar" value="#PO_Number#" null="#YesNoFormat(NOT len(PO_Number))#”>,

We've seen a hack that changed that line. They injected a PHP script so check your site and server. There's no error for online, CC orders just offline because the payment form doesn't submit a CVV number.

top | previous page

Tag Cloud

Error J2EE Paypal Express SQL Coldfusion Admin MySQL Paypal USPS authorize.net email google paypal responsive upgrade v6.50 v6x

Nucom Web Hosting, LLC is now the primary developer and support provider for CFWebstore. Nucom has been designing and building websites with CFWebstore for years and offers hosting, design, and custom development services. Learn More »