Thanks to Haydens post in forum at http://forums.oscommerce.com/index.php?showtopic=230089, there is security risk to using this mod. Anyone could effectively issue a script command and control your server or site?...

Avoid this until a patch is issued.
Vulnerability found.
I have modded my Testamonials contrib to only use the customers name and message, no other details are taken, so I'm not sure what other fields are vulnerable.

I've found that the following code, entered as the customers name, shows a messagebox within the admin page. If entered as the testamonial body, it causes the 'delete', 'edit' and 'add new' buttons not to be shown on the admin page, effectively causing a DOS. I had to log into Phpmyadmin to remove from the customer_testamonials table.

alert(123);

Also, This line entered as the testamonial body causes the same DOS affect, but luckily does not seem to include the specified file:



Therefore I propose that all fields entered by the customer are screened for such exploit attempts.


More...