Quote from: CompSci on December 19, 2012, 03:44 amA SQL injection attack wouldn't be necessary if an attacker had root access to the server or database. Keep in mind that if an attacker had full access to the server they could just modify the code so bitcoins are redirected to their account. You wouldn't even notice anything was suspect until its too late. This is why the attack is so half-assed. They have very little access to modify anything of worth so they are just modifying the pictures and deactivating shipping options.As to why private listings are working: I'm 99% sure the SQL injection that is being used on SR involves manually injecting it on vendor listings. As a result, the attackers can't access private listings without knowing the URL. Unfortunately, once the URL becomes known the attack can be deployed once again. I'll be interested to see if californicationbuds URL's posted above get attacked.My God... could it possibly be... LOGIC?! :o