X-Cart: shopping cart software
Page 4 of 6 « First < 23 4 56 >
Show 40 posts from this thread on one page

X-Cart forums (https://forum.x-cart.com/index.php)
-   News and Announcements (https://forum.x-cart.com/forumdisplay.php?f=28)
-   -   Security bulletin 2008-12-18 (https://forum.x-cart.com/showthread.php?t=44301)

KathyHS 12-21-2008 11:44 AM
Re: Security bulletin 2008-12-18
 
666 - is that okay?

balinor 12-21-2008 11:47 AM
Re: Security bulletin 2008-12-18
 
That's writable which is probably the issue. Should have been 644. All php/tpl files should be 644 on a live site:

http://forum.x-cart.com/showthread.php?t=9163

balinor 12-21-2008 11:48 AM
Re: Security bulletin 2008-12-18
 
And who is xxx?

KathyHS 12-21-2008 11:49 AM
Re: Security bulletin 2008-12-18
 
REMOVED by request of person mentioned in thread

KathyHS 12-21-2008 11:50 AM
Re: Security bulletin 2008-12-18
 
So I need to go through and chmod all the xcart php files to be 644....

balinor 12-21-2008 11:51 AM
Re: Security bulletin 2008-12-18
 
Follow that link I posted - lots of things to do to make sure you are secure.

KathyHS 12-21-2008 12:09 PM
Re: Security bulletin 2008-12-18
 
Thanks, will do. We (the system admin) created an htaccess that should be a big help to detracting hackers using remote scripts.

gb2world 12-21-2008 12:43 PM
Re: Security bulletin 2008-12-18
 
I think the process that QT uses for management of their files for release might explain why there are many problems with what might other wise be easy security patches. You have to be careful applying these patches if you are in this situation:

Say that you were running 4.1.10, then did an upgrade to 4.1.11 around the time of its release - example early September. You would have downloaded an upgrade pack for 4.1.10-4.1.11 from your help desk.

Unfortunately - QT continues to change what it calls 4.1.11. So, over the last few weeks - there may have been updates to many files. If you download an upgrade pack for 4.1.10-4.1.11 today - it is not the same as what you download in early September.

When you download a security patch for 4.1.11 - it is for the latest version of 4.1.11 - perhaps not the 4.1.11 version that you installed in September.

The current security patch looks like it would be okay for the XCART fresh 4.1.11 I installed earlier this month. But, the diff files have some discrepancies with a 4.1.11 cart I have that is an upgrade from a 4.1.10 cart, so I am wary to apply it without going through all the other differences - which is not an easy or quick task.

rubyaryat 12-21-2008 08:11 PM
Re: Security bulletin 2008-12-18
 
Cause of remote file inclusion attack for KathyHS site was webhost had registered globals enabled in php configuration.
Also I advise all users running x-cart to enable suexec if running apache webserver.
Rubyaryat

RichieRich 12-22-2008 01:07 AM
Re: Security bulletin 2008-12-18
 
please note since the update no users can now register again, which is what happened with the last update too...


All times are GMT -8. The time now is 01:26 PM.
Page 4 of 6 « First < 23 4 56 >
Show 40 posts from this thread on one page

Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.