X-Cart forums - POODLE vulnerability in SSLv3

X-Cart forums (https://forum.x-cart.com/index.php)

- X-Payments issues & questions (https://forum.x-cart.com/forumdisplay.php?f=50)

- - POODLE vulnerability in SSLv3 (https://forum.x-cart.com/showthread.php?t=70268)

Re: POODLE vulnerability in SSLv3

XC uses SSL 3 in these files as well

func.https_X.php

where X is libcurl, curl, openssl, ssleay

It is OFF by default but other code in XC may set it to true when used. Solution will be to find the line in the file that sets the option for SSL3 and comment it out for example in

func.https_libcurl.php there is this

PHP Code:


		
			
if ($use_ssl3)

        curl_setopt ($ch, CURLOPT_SSLVERSION, 3);

so just comment it out

PHP Code:


		
			
//   if ($use_ssl3)

       // curl_setopt ($ch, CURLOPT_SSLVERSION, 3);

This is untested so make sure you do some test orders if changing it

QT can we get clarification on this and a patch for XC if possible

Re: POODLE vulnerability in SSLv3

We edited conf file to exclude SSLv3 from SSLProtocol. We did online test and it passes. Do we still need to patch X-payment connector files?

Re: POODLE vulnerability in SSLv3

Quote:

Originally Posted by shwekhaw

We edited conf file to exclude SSLv3 from SSLProtocol. We did online test and it passes. Do we still need to patch X-payment connector files?

Yes, if you use X-Payments. This thread was originally created about dealing with the POODLE in X-Payments.

Re: POODLE vulnerability in SSLv3

Quote:

Originally Posted by cflsystems

PHP Code:


		
			
if ($use_ssl3)

        curl_setopt ($ch, CURLOPT_SSLVERSION, 3);

so just comment it out

PHP Code:


		
			
//   if ($use_ssl3)

       // curl_setopt ($ch, CURLOPT_SSLVERSION, 3);

This is untested so make sure you do some test orders if changing it

QT can we get clarification on this and a patch for XC if possible

This is the correct patch.

Our team is working on the 4.6.5 release planned to this week. This version will have the necessary corrections to do not use SSLv3

Re: POODLE vulnerability in SSLv3

Re: Magento users of X-Payments

Nothing needed to be patched in the connector module as our Magento connector for X-Payments relies on using built-in Magento HTTPS module. So I advise to check with Magento regarding whether or not Magento needs to be patched.

Re: POODLE vulnerability in SSLv3

We are having an issue with this on XC 4.5.5.

We installed the newest X-Payments Connector, and received the following errors in: x-errors_xpay_connector-xxxxxx.php

Code:

[20-Oct-2014 13:29:34] xpay_connector message:

    X-Payments error (code: 1514): The merchantEmail field is missing or incorrect

Request URI: /payment/payment_cc.php

Backtrace:

/.../modules/XPayments_Connector/xpc_func.php:2257

/.../modules/XPayments_Connector/xpc_func.php:2223

/.../modules/XPayments_Connector/xpc_func.php:1948

/.../modules/XPayments_Connector/xpc_func.php:1941

/.../modules/XPayments_Connector/xpc_func.php:417

/.../payment/cc_xpc.php:574

/.../payment/payment_cc.php:347



-------------------------------------------------

[20-Oct-2014 13:29:34] xpay_connector message:

    Internal error.

Request URI: /payment/payment_cc.php

Backtrace:

/.../modules/XPayments_Connector/xpc_func.php:2257

/.../modules/XPayments_Connector/xpc_func.php:1997

/.../modules/XPayments_Connector/xpc_func.php:1950

/.../modules/XPayments_Connector/xpc_func.php:1941

/.../modules/XPayments_Connector/xpc_func.php:417

/.../payment/cc_xpc.php:574

/.../payment/payment_cc.php:347



-------------------------------------------------

Then in x-errors_payments-xxxxxx.php:

Code:

[20-Oct-2014 13:29:34] PAYMENTS message:

    Payment processing failure.

    Login: [PRIVATE]

    IP: [PRIVATE]

    ----

    Payment method: Credit Card (X-Payments: Authorize.Net AIM)

    bill_output = Array

    (

        [cvvmes] => not set / 

        {code} => 2

        [billmes] => Internal error (I)

    )

    original_bill_output = Array

    (

        [cvvmes] => not set / 

        {code} => 2

        [billmes] => Internal error (I)

    )

Request URI: /payment/payment_cc.php

Backtrace:

/.../payment/payment_ccmid.php:459

/.../payment/payment_ccend.php:48

/.../payment/payment_cc.php:349



-------------------------------------------------

EDIT: We successfully reverted to old setup, but would still like to know how to fix the above errors.

Re: POODLE vulnerability in SSLv3

I fixed two stores using this fix. Thank you so much.

X-cart 4.54 and 4.52 with x-payment 1.06.

Re: POODLE vulnerability in SSLv3

for those not using xpayments, im on 4.6.4, i added

SSLProtocol all -SSLv2 -SSLv3

to my pre-virtual host include file on apache,
pre_virtualhost_global.conf

passed the test, This is a CENTOS 6.4 x86_64 standard godaddy dedicated server.

Re: POODLE vulnerability in SSLv3

I past the test
"This server is not vulnerable to the POODLE attack because it doesn't support SSL 3"

Does it mean i do not need to do anything?

I did fall this (what is it?)

IE 6 / XP No FS 1 No SNI 2 Protocol or cipher suite mismatch

Re: POODLE vulnerability in SSLv3

We are having trouble with an x-cart installation using Version 4.5.5 with X-PAYMENTS v.1.0.2.

After turning off SSL3 on the server we no longer had the ability to enter credit card information within the checkout process.

We therefore patched our x-cart installation manually by:

1.) removing the line of code

curl_setopt($ch, CURLOPT_SSLVERSION, 3);

from

modules/XPayments_Connector/xpc_func.php

We did not see the following line within our version of x-cart:

curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'DEFAULT');

So this step was bypassed.

2.) We then tested with no luck.

3.) We then Removed

if ($use_ssl3)
curl_setopt ($ch, CURLOPT_SSLVERSION, 3);

from the func.https_X.php file and tested again. Still no luck

4.) We then installed the newest X-Payments Connector, and white screened the entire cart.

Any suggestions?