Security bulletin 2008-25-12
 

Dear X-Cart customer,

During internal audit activities several moderate security issues have been detected in X-Cart. The issues make the software potentially
vulnerable to attackers who wish to gain access to the application back-end. The solution is to apply the update released by Qualiteam.

SEVERITY

Moderate

IMPACT

A malicious user can redeclare used variables, execute his own php code and, as a result, gain access to the application back-end, store database and server file system.

AFFECTED VERSIONS

All X-Cart versions from 4.0.0 to 4.1.11

SOLUTION

We strongly recommend X-Cart users to install the security fix available in the HelpDesk 'File Area'.
The following security improvements are included in the patch:
- protection from unallowed access to back-end, store database and server file system, using GET or POST queries (formed in a special way) has been added.
- an extra protection level against SQL injections has been added.

Where to download the patch:

Please, check your File Area:
* For X-Cart 4.1.11 version:
check folders X-Cart -> X-Cart 4.1.11 (current version) -> Updates and patches

* For X-Cart 4.0.0 - 4.1.10 versions:
check folders X-Cart -> X-Cart supporting files for prev versions -> {Your X-Cart branch} -> {Your X-Cart version} -> Updates and patches

Installation instructions can be found in the README.txt file attached to the .tgz archive.

NOTE:
If you are using X-Cart versions 4.1.0 - 4.1.11, please, ensure you had installed all the previous security fixes *prior to* applying this new patch.

If you have any questions or concerns, feel free to contact our support team via your Helpdesk.

X-Cart Team & Qualiteam Tech Support department

Re: Security bulletin 2008-25-12
 

Wow... Well thanks for posting these patches so quickly!

Re: Security bulletin 2008-25-12
 

Yay Merry Chistmas :P

Re: Security bulletin 2008-25-12
 

Ene,

Is this patch a revision of patch 2008-18-12?
Seems all the same files are being patched on both.

Re: Security bulletin 2008-25-12
 

Sounds like a patch to prior patches. At least for 4.1.x

Looking at 4.0.19 it patches register.php like previous security patches but not any of the same lines so it can be applied independently (not sure why you would want to do that). It does mean you can't use the overwrite version if you have applied the prior security patches - use the diffs.

Re: Security bulletin 2008-25-12
 

No. It is a different patch.

Re: Security bulletin 2008-25-12
 

I reported this vulnerability on the 21st when I found that someone had somehow installed a couple fake Bank of America login pages on my server. I would strongly suggest that all users check their file system just to be safe.

The pages were loaded to my /payment/ directory on my server.

Also... if you don't need it to be on "allow_url_fopen" in your php.ini should be off as that will stop them from running the scripts from other servers.

Re: Security bulletin 2008-25-12
 

There was only one file to update for version 4.1.10, prepare.php, so it was a pretty simple patch :)

Re: Security bulletin 2008-25-12
 

Just to clarify to everyone.

There is 2 patches

One from DEC 18th

and a NEW one from the 25

we installed the one from the 18th but not the one from the 25 and we got hacked

Re: Security bulletin 2008-25-12
 

We're seeing a few people who have not applied the secondary patches and are now having issues. The news of the latest exploit seems to have spread pretty quickly.

Re: Security bulletin 2008-25-12
 

Thanks QT for working on Christmas and for your "Santa had an accident" video! :-)

Question:
Since there were no security patches for 4.2 does that mean 4.2 was already protected?

Re: Security bulletin 2008-25-12
 

Yes.

Re: Security bulletin 2008-25-12
 

Great! Security in the main reason I upgrade. Thank you and have a wonderful day!

Paul

Re: Security bulletin 2008-25-12
 

Please check this thread also: http://forum.x-cart.com/showthread.php?t=42036

Re: Security bulletin 2008-25-12
 

Excellent Post!

#1 - Just implemented
#2 - Updated
#3 - Thank you!
#4 - Just implemented
#5 - Already done

Thank you Eugene!

Paul

Re: Security bulletin 2008-25-12
 

Yep - Glad I saw this list as well.

#1 - Just implemented
#2 - Updated as well
#4 - Done
#5 - Not sure I need to do this...? - CC's are not stored in my DB...

Re: Security bulletin 2008-25-12
 

If you don't store the credit card numbers, you don't need to enable this feature.

Re: Security bulletin 2008-25-12
 

I figured as much. Thanks!

Re: Security bulletin 2008-25-12
 

What a mess :(

I now have 4 patches to apply in order to make my store secure. Last week I applied the 3 patches from 7/2, 8/5 and 12/18. I then had to back these patches out as customers were complaining that they were not able to log in. Now we have yet another patch, but I am unable to apply it as I haven't and can't apply the previous patches.

Are Qualiteam going to fix the previous patches so I can get up to date with these security issues?

I have no idea what to do now, and I am concerned that our store is insecure and that people are already taking advantage of these security flaws.

Steve

Re: Security bulletin 2008-25-12
 

Steve,

I had not apply any patches until 2008-25-12, and did all four in order, for my 4.1.9 store.

I SIMPLY did this manually, doing a compare on a per-file basis - took 10 minutes to patch everything.

This is the "brute force way" but sure to work.

Re: Security bulletin 2008-25-12
 

I found something kind of strange in our 4.1.11 install. The original prepare.php was different, and the .DIFF wouldn't work. I opened the original prepare.php and the new one included with the security patch from 2008-25-12 and found they were very different, although both had the "# $Id: prepare.php,v 1.62.2.29 2008/08/07 11:25:02 joy Exp $" in the header.

Shouldn't at least the date be different?

There was a whole section missing on the original, from "define('X_REJECT_OVERRIDE', 1);" through (but not including) "if (!defined("XCART_EXT_ENV")) {" so needless to say I figured out why the patch wouldn't work.

I even checked with the original download from x-cart that I have on my computer and it just isn't there either.

Very strange.

Re: Security bulletin 2008-25-12
 

Hi JWait -

You may want to subscribe to this thread - Beetlejuice reported the same thing with prepare.php and I have seen seen discrepancies between files within cart versions that should all have the same files. QT reports that if we updated correctly, we would have the same file versions in our distributions - they do not update files within a distribution release - so we all could have made the same mistake at some point on an upgrade with prepare.php. Beetlejuice submitted a help ticket and was going to report back in the above referenced thread.

Re: Security bulletin 2008-25-12
 

What Beetlejuice is reporting is similar what I found, except that our 4.1.11 site is not upgraded, yet the prepare.php on the site, and in the original download from x-cart is vastly different from the prepare.php included in the 2008-25-12 security patch. The strangest part is that the versions of the file are identical,

$Id: prepare.php,v 1.62.2.29 2008/08/07 11:25:02 joy Exp $

Re: Security bulletin 2008-25-12
 

can someone tell me where the "File Area" in the HelpDesk is located?

Re: Security bulletin 2008-25-12
 

Hi JWait -

Yes - I do have discrepancies with file versions on a cart that was upgraded from 4.1.10 to 4.1.11 - not what you are reporting.

But - I also have a 4.1.11 cart that is not upgraded and I have been able to successfully add the 2008-12-18 and 2008-12-25 security patches. I can confirm that I do also see that the revision comment in the changed files is not updated. The files are changed, but the revision information remained the same. prepare.php remains 1.62.2.29 - it changed in both the 2008-12-18 and 2008-12-25 . I update manually, but the diff files look okay.

Re: Security bulletin 2008-25-12
 

Hi Belevation -

When you log into your support helpdesk, the file area is the third item in the left vertical menu.