Topic: Security Issue Solution v7.5
The v7.5 is now updated (10.11.2008). The zip file that is fixed has the file "includes_patch1.txt" inside the zip. Only admin/login.php is updated/changed, just replace it with your old admin/login.php.
The hack is working because a typo in the code. All input is normally validated, but since the variable is typed with one large letter wrong, the validation routine is bypassed.
Quick fix for the most urgent one is this:
In admin/login.php, line 41:
NOTE: There is also a bug in links.php, the new .zip will contain this fix.
Change line 24, from this:
$order = getParam("order",""); // Guest chooseable sort order
$order = cleanInput(getParam("order","")); // Guest chooseable sort order
If you have been backed..
Check your classifieds directory. If you have the "admin" username unchanged, "hackers" are able to login to admin area. There, they will most likely change one template or language file. Check for changed template files in template editor, an * will mark a changed template.
The reason why many sites gets hacked now is due to a description to do this is posted to bugtraq lists.
I would also suggest to password protect your admin area using .htaccess (control panel protection that cPanel, Plesk, Webmin etc. can do for you).