Re: Security bulletin 2009-12-02
 

Got one of them now. :)

Carrie

Re: Security bulletin 2009-12-02
 

Since there are many files other than the cc_ ps_ format, it would be really great to get a breakdown of the files in the payment folder and their usage. File permissions could then just be set to 000 until upgrading and then set back.

Re: Security bulletin 2009-12-02 * Log Details *
 

Attached is the log of an attack in progress. I received notification of change in status of orders.

[10-Feb-2009 06:58:47] (shop: 10-Feb-2009 06:58:47) ORDERS message:
Login:
IP: 141.164.71.238
Operation: change status of orders (0) to 'F'
----
Request URI: /shop/payment/cc_basia.php
Backtrace:
/public_html/shop/include/func/func.order.php:1015
/public_html/shop/payment/cc_basia.php:176
-------------------------------------------------

Re: Security bulletin 2009-12-02
 

I lookk for this file I could not find it xcart_dir>/payment/cc_basia.php

Why is that?

My version is 4.1.10

Re: Security bulletin 2009-12-02
 

Dear Ene,

FYI - I did not receive the newsletter until the 19th... Is there a way to speed up the process?

Thank you!

Re: Security bulletin 2009-12-02
 

Lucky you, i didn't get mine until this morning 21st February

Re: Security bulletin 2009-12-02
 

OUCH!! That's way too long to be sitting with an exposed site! Definitely need to see about a program to send out emails faster. There's email regulation where you only send "X" mail per hour, but taking days to deliver is not good - weeks is even worse!

Re: Security bulletin 2009-12-02
 

I just received my notice today... fortunately, I read the forums.

Qualiteam should really consider using a 3rd party for security bulletin emails. The big-boy 3rd parties can send 10's of thousands of emails per hour. WITH open/bounce/unsubscribe tracking. AND google analytics integration. For very low $.

Re: Security bulletin 2009-12-02
 

Or better yet, how about a live update system IN X-Cart? Wordpress does it when there is a new release, and that is FREE software. Have an area for important messages on the home page of the admin, with links directly to the update kits/patches/etc. Simple and effective, and no one can claim they didn't see it or get the e-mail in their spam box.

Re: Security bulletin 2009-12-02
 

vBulletin does the same thing. A "call home" tag that checks your version and if it's not the latest patch, vB will make it very clear that you have to patch...

I would imagine this is related to the vB call-home copy protection -- very well done/seamless to the admin.

I would support xcart if they implemented such a feature.