Spammers are at it again. They have found security vulnerabilities in the contact form in OS Commerce and on at least one server have used it to hijack several contact forms in various accounts and send spam from them. We had no choice but to take immediate action and disable the contact forms in OSC on all accounts on all servers. You should now get a Page Not Found when going to your OS Commerce contact form page.

Additionally, as we looked further into the servers, we also had to disable several other contact forms on all servers, even some not associated with OSC. This may or may not affect you yet, depending on the script you are using.

What you need to do is either replace your contact form script completely with something that is safe and securely written, or just change your links to your contact form to point instead to a simple email link.

Sorry for any inconvenience but consequences of the spam from the hijacked forms on our server have already been pretty severe. We cannot afford to let this continue.

Anne

Update: Hijackers are still at it, on ALL of our servers and according to reports from other web hosting companies, this is extremely widespread right now affecting thousands of servers, not just ours.

Over two dozen variously-named, variously-written insecure scripts on our servers have been hijacked to send spam to thousands of people. Repercussions from this include temporary banning of sending email from a couple of our servers to AOL customers. We have taken appropriate measures to get those servers unbanned from AOL.

Monte is currently testing some contact/email scripts and when he finds one that is secure to our satisfaction, we will be requiring ALL users to use only that script for php contact and email forms.

Meanwhile, we have disabled many email and contact forms on all servers and will continue to do so as we find them. This includes some that were not specifically "contact" forms, but also "signup" forms etc. which were also hijacked.

For those of you willing to switch to cgi rather than php, the form mail clone available on the servers has not been affected by this. So you may want to use that instead.

Anne