X-Cart: shopping cart software

X-Cart forums (https://forum.x-cart.com/index.php)
-   X-Payments issues & questions (https://forum.x-cart.com/forumdisplay.php?f=50)
-   -   POODLE vulnerability in SSLv3 (https://forum.x-cart.com/showthread.php?t=70268)

ambal 10-17-2014 05:58 AM

POODLE vulnerability in SSLv3
 
1 Attachment(s)
Hi Everyone,

This part is for those who does use X-Payments:

----------------
As you may already know right after OpenSSL Heartblead vulnerability a new one has been found in SSL protocol - POODLE.

The POODLE vulnerability is a weakness in version 3 of the SSL protocol that allows an attacker in a man-in-the-middle context to decipher the plain text content of an SSLv3 encrypted message.

You can read more about POODLE at
https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-poodle-sslv3-vulnerability

Please note - this is NOT a vulnerability in X-Payments or X-Payments connector modules for X-Cart. This is a vulnerability in ciphering software used by almost any server in the Internet to establish secure connections.

What needs to be done:

1) X-Cart 4 users - apply Attachment 3956 patch to your X-Cart that will disable forced use of SSLv3 and enable automatic selection of TLS or SSL so if your hosting provider disabled SSLv3 support for your X-Payments installation your X-Cart will be able to connect with X-Payments using TLS.

Or you can download our new connectors for X-Cart 4 at
https://drive.google.com/a/x-cart.com/folderview?id=0B6p7sehSZL8_akhxR0VwQ0dta2M&usp=dri ve_web#list

They have been updated today to have the patch out of the box.

X-Cart 5 users - install the latest version of X-Payments connector available at the X-Cart 5 Marketplace.

2) make sure your server where you run X-Cart uses cURL v 7.18.1 or newer.
If you use X-Payments Enterprise/Downloadable license - check the same for your X-Payments server.

If your cURL is older - update it.
If you have no idea what is cURL - consult with your hosting admin.

And since I mentioned the OpenSSL Heartbleed - check your OpenSSL version - it should be at least 1.0.1g

--------------------

If you do not use X-Payments - go straight at http://forum.x-cart.com/showpost.php?p=379153&postcount=57

cflsystems 10-17-2014 06:04 AM

Re: POODLE vulnerability in SSLv3
 
Where is the patch Alex?

ambal 10-17-2014 06:07 AM

Re: POODLE vulnerability in SSLv3
 
Quote:

Originally Posted by cflsystems
Where is the patch Alex?


In the original message, Steve.

cflsystems 10-17-2014 06:08 AM

Re: POODLE vulnerability in SSLv3
 
I guess you just changed the original message while I was typing :) It is different now

Thanks

ambal 10-17-2014 06:11 AM

Re: POODLE vulnerability in SSLv3
 
Quote:

Originally Posted by cflsystems
I guess you just changed the original message while I was typing :) It is different now

Thanks


Yep, I was typing this long message and forgot to attach the file, but I noticed that immediately after the post had been made and edited the message.

xcel 10-17-2014 06:47 AM

Re: POODLE vulnerability in SSLv3
 
Does this effect all XC users? If I'm not using X-Payments or X-Payments connector modules do I need to worry about this?

Mark N 10-17-2014 06:47 AM

Re: POODLE vulnerability in SSLv3
 
Can't seem to get this patch to apply - looks like the xpc_func.php I have is different - I haven't applied any customizations to this file but it doesn't appear to match what is in the diff - here is my version info of the file (running XC 4.6.3):

* @version 58ab7bdc89b3d4cd894ef7d853bcc6f0c4dcca6b, v101 (xcart_4_6_2), 2014-02-03 17:25:33, xpc_func.php, aim

I'm nervous about putting a new connector in place, have seen conflicting information about whether or not it supports X-Payments 1.0.6. Can you clarify Alex?

-Mark

ambal 10-17-2014 06:57 AM

Re: POODLE vulnerability in SSLv3
 
> Does this effect all XC users? If I'm not using X-Payments or X-Payments connector
> modules do I need to worry about this?

I would say the POODLE affects really everyone in the Internet. This is a bug in SSL v3 protocol. It is not X-Cart or X-Payments related only.

ambal 10-17-2014 07:06 AM

Re: POODLE vulnerability in SSLv3
 
Mark,

Quote:

Originally Posted by Mark N
Can't seem to get this patch to apply - looks like the xpc_func.php I have is different - I haven't applied any customizations to this file but it doesn't appear to match what is in the diff - here is my version info of the file (running XC 4.6.3):

* @version 58ab7bdc89b3d4cd894ef7d853bcc6f0c4dcca6b, v101 (xcart_4_6_2), 2014-02-03 17:25:33, xpc_func.php, aim



In order to make the change manually in file
modules/XPayments_Connector/xpc_func.php

find a line of code
curl_setopt($ch, CURLOPT_SSLVERSION, 3);

and remove it.

If you see near the above line of code this:
curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'DEFAULT');
remove this, too.

Quote:

Originally Posted by Mark N
I'm nervous about putting a new connector in place, have seen conflicting information about whether or not it supports X-Payments 1.0.6. Can you clarify Alex?


It does support v1.0.6 but only for credit card processing. Anyways, we always recommend to test new modules before letting them go live. E.g. on a test server.

Mark N 10-17-2014 07:19 AM

Re: POODLE vulnerability in SSLv3
 
Thanks for the quick response - made the changes suggested and tested after disabling SSLv3, all looks good now. Will test out the new connector - when you say "It does support v1.0.6 but only for credit card processing.", what does it not support exactly?


All times are GMT -8. The time now is 09:35 PM.

Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.