Security bulletin 2009-12-02
 

Dear X-Cart customers,

During internal security audit a critical security issue has been detected in X-Cart. The issue makes the software vulnerable to attackers who wish to gain access to the server file system. The solution is to remove an affected file.

SEVERITY

Critical

IMPACT

A malicious user can execute his own shell commands and, as a result, gain access to the server file system.

AFFECTED VERSIONS

X-Cart versions from 4.1.0 to 4.1.11. All X-Cart customers who are using these versions are encouraged to apply the fix described below.

SOLUTION

Delete the '<xcart_dir>/payment/cc_basia.php' file.
This file refers to an outdated integration of 'Bank of Asia' payment gateway, so its deletion will not cause any problems and will not affect your stores.
The '<xcart_dir>' text means the server directory in which your X-Cart is installed.
You can delete this file using FTP, SSH or the hosting control panel file manager.

NOTE: If you use a custom integration of 'Bank of Asia' payment gateway or '<xcart_dir>/payment/cc_basia.php' script, you should contact our support team for free help.

If you have any questions or concerns, please, feel free to turn to the X-Cart support team via your Helpdesk.

Re: Security bulletin 2009-12-02
 

Hi Everyone,

I closed News&Announcements from public access for reading. This information is accessible by X-Cart license owners only.

Re: Security bulletin 2009-12-02
 

It appears the same cc_basia.php file exisits in 4.2 also. Is it affected also?

Re: Security bulletin 2009-12-02
 

v4.2.0 doesn't have this file. Please check the distribution package.

Re: Security bulletin 2009-12-02
 

My bad. I must have included it with the upgrade from 4.1.11. I deleted it anyway.

Re: Security bulletin 2009-12-02
 

Eugene,

Would it be wise to delete all cc_payment-gateway.php files that are not in use?

There is no reason to have them if not used, AND it is RARE for a store to change payment gateways -- and if so, then a restore of the appropriate gateway is quite simple. What do you think?

Re: Security bulletin 2009-12-02
 

I think it is a good idea. But it is important to mention the following things:

* please delete only the unnecessary 'cc_*.php/ch_*.php/ps_*.php' files. If you delete some other files, for example 'payment_cc.php', your payment gateway will not work

* it is necessary to restore these files or alter the upgrade pack, if you decide to upgrade

Re: Security bulletin 2009-12-02
 

We didn't get any email notice of this security problem. Did an email not go out? We always get the security notices. Usually we receive the same security email a couple of times actually. I'm glad I noticed this thread so we can update all of our hosted customer's accounts.

Thanks,

Carrie

Re: Security bulletin 2009-12-02
 

The newsletter sending has been started. Since the script sends a fixed number of emails per hour it will take some time to send all the emails as we have many clients.

Re: Security bulletin 2009-12-02
 

Two Words:

Mail Chimp

Re: Security bulletin 2009-12-02
 

Got one of them now. :)

Carrie

Re: Security bulletin 2009-12-02
 

Since there are many files other than the cc_ ps_ format, it would be really great to get a breakdown of the files in the payment folder and their usage. File permissions could then just be set to 000 until upgrading and then set back.

Re: Security bulletin 2009-12-02 * Log Details *
 

Attached is the log of an attack in progress. I received notification of change in status of orders.

[10-Feb-2009 06:58:47] (shop: 10-Feb-2009 06:58:47) ORDERS message:
Login:
IP: 141.164.71.238
Operation: change status of orders (0) to 'F'
----
Request URI: /shop/payment/cc_basia.php
Backtrace:
/public_html/shop/include/func/func.order.php:1015
/public_html/shop/payment/cc_basia.php:176
-------------------------------------------------

Re: Security bulletin 2009-12-02
 

I lookk for this file I could not find it xcart_dir>/payment/cc_basia.php

Why is that?

My version is 4.1.10

Re: Security bulletin 2009-12-02
 

Dear Ene,

FYI - I did not receive the newsletter until the 19th... Is there a way to speed up the process?

Thank you!

Re: Security bulletin 2009-12-02
 

Lucky you, i didn't get mine until this morning 21st February

Re: Security bulletin 2009-12-02
 

OUCH!! That's way too long to be sitting with an exposed site! Definitely need to see about a program to send out emails faster. There's email regulation where you only send "X" mail per hour, but taking days to deliver is not good - weeks is even worse!

Re: Security bulletin 2009-12-02
 

I just received my notice today... fortunately, I read the forums.

Qualiteam should really consider using a 3rd party for security bulletin emails. The big-boy 3rd parties can send 10's of thousands of emails per hour. WITH open/bounce/unsubscribe tracking. AND google analytics integration. For very low $.

Re: Security bulletin 2009-12-02
 

Or better yet, how about a live update system IN X-Cart? Wordpress does it when there is a new release, and that is FREE software. Have an area for important messages on the home page of the admin, with links directly to the update kits/patches/etc. Simple and effective, and no one can claim they didn't see it or get the e-mail in their spam box.

Re: Security bulletin 2009-12-02
 

vBulletin does the same thing. A "call home" tag that checks your version and if it's not the latest patch, vB will make it very clear that you have to patch...

I would imagine this is related to the vB call-home copy protection -- very well done/seamless to the admin.

I would support xcart if they implemented such a feature.

Re: Security bulletin 2009-12-02
 

For the admin interface I wouldn't be opposed to a call home at all. It should allow a call to multiple servers so that we don't run into the issue that Comodo ran into months go when their MAIN server went offline and everyone had issues with the TrustLogo deal.

As for mailing servers - We have a client here that sends just over 15,000 emails per hour - so a standard server SHOULD be able to send out a few thousand emails an hour without much issue. And since these are already verified and opt-in emails already, setting it to send tens of thousands in an hour shouldn't be an issue at all.

Re: Security bulletin 2009-12-02
 

Or just set up an RSS feed for security notices!

Re: Security bulletin 2009-12-02
 

RSS -- no THERE'S an easy option!! We can then put in a simple "include" statement in the admin backend and we've got the latest info! Great idea!