First thing SSL in admin will do nothing for the case you mentioned if you have not moved the admin folder. Please read the security guidelines in http://YOUR_WEBISTE_ADDRESS/docs/imp...endations.html

All of super orders is full of security holes because there is no filtering of $_GET or $_POST. At somepoint ZC introduced basic filtering on $_GET in the file admin/includes/init_includes/init_general_funcs.php and this has stopped super_orders from working in the one arear that you mentioned. If you wish to edit that file as mentioned above, then the bug will disappear, but you will have a larger hole.

The hole is an XSS or SQL injection one, but would only be usable if someone knew the location of your admin folder and possibly if they could log on (although they may be able to steal a session by sniffing the cookie or session variable if you are not using SSL for admin). If they stole your session variable then they could do anything with your database that they liked but if they stole your session, they could easily apply a SQL patch and do the same thing.

The risk is low but if you wish to edit the the file I mentioned then the whole rest of your admin area will also be open to possible SQL Injection or XSS attacks because if you are opening it in that function to fix that bug then you will expose the whole of administration.