security-patch-2007-10-29.tgz
 

Most of you should have received an e-mail from Qualiteam this morning about a security patch for ALL versions of X-Cart other than 4.1.9. If you didn't, you can find the patch in the 'files' area of your help desk. If you download the patch (which you absolutely should), you will notice it does not include any .diff files, just the patched files themselves. This is not good, as replacing the files will overwrite any changes to them that you made. Be sure to make a backup of all these files before you upload the new versions, and if there are any issues with your store (particularly ones with third party mods), you can easily restore the old versions. Why they didn't issue this patch with .diff files is beyond me, as this creates a major headache for those of us who maintain multiple stores.

Re: Security Patch - 11-1-07
 

Are the old 3.4.x versions affected as well or x-cart team doesn't check those version any more?

Re: Security Patch - 11-1-07
 

The patch seems to only cover 3.5 on

Re: Security Patch - 11-1-07
 

I received no such e-mail today nor do I see any file with the timestamp to correlate with it in the the files section. You have an exact file name balinor?

Re: Security Patch - 11-1-07
 

Sure, it's in the file area/updates:

security-patch-2007-10-29.tgz

Edited the thread title to reflect this as well.

Re: security-patch-2007-10-29.tgz
 

haha oops I looked right past it, thanks balinor I'll review it and backport the fixes.

Edit:
Looks like I only have to backport one fix, I already took care of the other ones they fixed several weeks ago o.O

Re: security-patch-2007-10-29.tgz
 

I didn't get any emails from xcart about this.

Re: security-patch-2007-10-29.tgz
 

There's something wrong with that security update at least for 4.1.8, after applying the func.db.php and func.order.php fixes it totally destroys the cart's ability to store any data (in terms of the shopping cart mechanism itself, not the cart as a whole)

Re: security-patch-2007-10-29.tgz
 

I gave up as well. I had a zillion issues. I reverted.

I will be opening a new thread later re: how to upgrade from 4.1.8 to 4.1.9 -- I have some ideas....

Re: security-patch-2007-10-29.tgz
 

Hello all,

In updating for this security patch, is there any easy way to find what the actual changes are? Our include/func.php file is rather heavily modified (by x-cart, myself and one other mod) and I'm having a difficult time differentiated between the update code and that added for modifications by others. I compared the files and this doesn't do me any good. Is there any way to figure out just the lines changed for this update?

thanks for any assistance,

Carol Davenport

Re: security-patch-2007-10-29.tgz
 

That's what I mean, they didn't issue a .diff, they just said 'here, replace your files'. You need to use a compare program and make the changes you find, and there are quite a few depending on how custom your func.php is.

Re: security-patch-2007-10-29.tgz
 

I also did not receive an email regarding this security patch!!!!!!!!

Re: security-patch-2007-10-29.tgz
 

http://www.scootersoftware.com/

Re: security-patch-2007-10-29.tgz
 

You shouldn't worry about not getting the e-mail from us to the moment as you haven't got the e-mail YET. We send our newsletters in some portions usually in order not to create a huge overload impact on our servers like if we send them all at once. I am sure you'll get the e-mail in some time later.

Also, please make sure your spam filter allows messages from our domains.

Re: security-patch-2007-10-29.tgz
 

Alexander, is there a reason this patch was not released as a .diff? You guys have created about 20 hours of work for me in having to go into each of my clients stores and compare their func.php file to the new one and make the appropriate changes.

Re: security-patch-2007-10-29.tgz
 

Howdy folks!'

I contacted X-Cart last night and received the following:

"The software architects informed that a diff patch for X-Cart will be released in the nearest 1-2 business days. We'll let you know as soon as it's available."

I also went in and made sure my contact email address was current - it wasn't (remember the massive spoofing campaign I weathered? - I had to change domains - and concommitantly, emails... and hadn't updated my profile at X-Cart). I updated/fixed that too.

Re: security-patch-2007-10-29.tgz
 

Excellent...good to hear!

Re: security-patch-2007-10-29.tgz
 

Why is func.php full of changes that have nothing to do with patching security, such as discount calculations? A security patch should be just that and that alone. Now I've either got to test a dozen other things or manually pick out the security related changes from the patch.

Re: Security Patch - 11-1-07
 

We've updated security-patch-2007-10-29.tgz in the XB file area and now it contains diff files too.

Also I've attached security-patch-2007-10-29_diffs-only.zip file to this message for further use.

Re: security-patch-2007-10-29.tgz
 

Well that didn't work...on a fresh install of 4.1.8, the only file that patches is /include/func/func.db.php. The rest result in a 'could not patch' error, even though they are default files. Testing other versions now.

Re: security-patch-2007-10-29.tgz
 

Ahhh! The diff file that was just posted looks like the changes are limited just to the security issues.

Re: security-patch-2007-10-29.tgz
 

The 4.0.18 patch hard-codes the xcart/ subdirectory into the .diff file, so if you don't have your cart installed in that directory, you get a 'not found' for all the files.

Come on guys, can you please take the time to get these right? A security patch is important and shouldn't be this difficult to implement.

Re: security-patch-2007-10-29.tgz
 

I installed the patch and got a lot of error messages across the top of the screen. I don't know enough about X-Cart to know what was wrong but reading this forum tells me the patch is messed up. I'll try it again once the patch works right.

Re: security-patch-2007-10-29.tgz
 

It seems like this update is causing people quite a few headaches. Before I start the process of manually patching all of my clients' carts, can anyone tell me what the actual security issue is? All I got out of the email is that someone could use "SQL injection" to gain access to sensitive information. Do I need to waste an entire day fixing this, or are we all worried about nothing?

Thanks.

Re: security-patch-2007-10-29.tgz
 

Has anyone successfuy upgraded from 4.0.19 yet?

Re: security-patch-2007-10-29.tgz
 

And why can't I even find a version of 4.18? All I see is 4.19? Ahhh... this should'nt be so difficult.

Re: security-patch-2007-10-29.tgz
 

4.0.18 is in the .diff posted above, but it doesn't work as I mentioned. You are right though, this should be a no-brainer...people are going to do more damage with this patch then they'd do leaving the site alone :(

Re: security-patch-2007-10-29.tgz
 

So basically Xcart just announced to the world that their app is insecure and that we have no way to upgrade other then building the site from scratch?

Re: security-patch-2007-10-29.tgz
 

Yes. And they announced this to the world before notifying their customers via email.

I did not need to be doing this at the start of my busiest 60 days of the year.

Re: security-patch-2007-10-29.tgz
 

Thank goodness they are providing DIFF files. I've been back and forth with a support person this past week about this. And they keep coming back with basically "sorry we aren't providing DIFF files but we can do it for you for 40 support points"

I also do not know why this security patch is of "moderate" impact status. It seems pretty critical to me that people could get sensitive data! :(

Carrie

Re: security-patch-2007-10-29.tgz
 

I just received my email a few minutes ago. They've known about this since 29-october. Lovely.

Re: security-patch-2007-10-29.tgz
 

I'm still waiting for my email - I only heard about this because of websitecm's newsletter mentioned something about a recent security upgrade. (Many thanks to websitecm).

Anyway, what's not clear to me is are the diff files in a good state to use yet? I have a root install of x-cart 4.1.8 so if they are still hardcoded for /xcart dir then I guess not.

---

Are the developers of this product using automated tests? Do they have a dedicated QA team?

I'm assuming no, or if they are they have poor coverage. If they are, please start shipping the tests with the product so we can run them ourselves.

My day job is as a programmer specialising in unit, integration and end-to-end testing enterprise web applications. It surprises me in 2007, that a product as popular as this does not have proper automated test coverage.

Qualiteam, please advise us of your position on this topic and what you are doing to fix this.

I'm building phpunit and selenium tests as I make changes to my x-cart install, and I recommend others do this too.

In the end, I'd like to see qualiteam implement automated testing themselves, and have a continuous integration environment. I'm busy, but if you need help qualiteam, give me a shout and I will help where I can.

Here's an idea for any good OO PHP programmers that have the time:

- Build oo designed cart software with unit, integration, and end-to-end test coverage from the start
- Start simple with version 1.0, don't worry about competing with x-cart, you're looking to charge big and only sell to a few.
- Emphasise this is a *quality* and *tested* product.
- Charge $000s per install or for support - don't charge $00s, thats not your market.

Re: security-patch-2007-10-29.tgz
 

I thought I explained that at http://forum.x-cart.com/showthread.php?p=192025#post192025

Anyway, here is more detailed explanation:

First of all we haven't announced to the entire world about this problem ***yet***. These forums are accessible by X-Cart users only who have at least one valid X-Cart license.

Our clients are the 1st after us who get information about the patch via private newsletter which is being sent by portions in order not to overload our servers.

Just imagine what would happen if tens thousands of X-Cart users tried to login into their HelpDesk accounts to download the patch at almost the same time. Servers would go down and nobody will be able to download the patch. Since we are sending the newsletter in portions no overload created and every X-Cart customer can login into their HelpDesk account and download the patch without any hassles.

Re: security-patch-2007-10-29.tgz
 

Thanks for explaining that Alexander.

I think there needs to be more responsibility from Qualiteam over this. The excuse of our servers wouldn't handle the traffic is not good enough.

What will qualiteam do when there is a major security issue with an exploit in the public domain?

Waiting a week or more for the patch would not be good enough. It would be too late for many small businesses who get exploited in the mean time.


What are Qualiteam doing to fix this situation?

Re: security-patch-2007-10-29.tgz
 

Hi Ambal,

sounds like you need a better server then so that you can handle the traffic. I only see 15000 or so members in the forum and so at most have the whole lot sent out in a couple of days. Its not like every person with a licence is going to log in right away.

As for the latest update and security patch there seem to be a whole load of questions not being answered here.

It would be helpful if all these points were addressed. eg hard coding paths, upgrades not working very well, security patches containing non security related fixes.

Its disappointing to see this type of stuff going on these days. xcart and its team should be totaly on top of this type of thing by now.

Re: security-patch-2007-10-29.tgz
 

Alexander,

With all the love and respect a forum mod can give you, there are times that X-Cart needs to bite the bullet and not do everything in-house. Sending 15,000 emails can be done in a day with a 3rd party email service. Yes, you'll pay for this, but for security exploits, I can't think of a better use of company funds. (well, a big party for your forum participants come to mind, but I would give that up for timely announcements of security exploits).

FYI, many companies have systems in place with outside vendors to deliver their messages on-time... for example, I received an email from Apple on October 26 announcing their new operating system. Every Apple customer received this email on October 26. That would be millions of emails. It can be done. 1-800-Flowers sent me an email that is time-stamped for a 48-hour sale. I would imagine that they sent this to more than 15,000. And since the content expires in 48 hours, if they can't send it to all their customers FAST, the value of the content is lost.

My point is that 15,000 emails is not going to kill you with an outside service. And if you need scalable server technology, there are experts lurking here...

Please don't make excuses. Many of us are pros running our own businesses as well as being the ecom guy. We find ways to do things, and we don't always do everything in-house. Thanks for trying to communicate with us... please, we do appreciate it, really, there is no other way to keep your customers happy - BUT when things go wrong, in my opinion it is better to acknowledge the error and fix it -- "not to overload our servers" to me is lame. Thanks for keeping the communication open.

Jeremy

Re: security-patch-2007-10-29.tgz
 

Though number of X-Cart users is bigger than number of X-Cart forums users since not every X-Cart user registers a forum account it should not be a big problem for our new servers which are going to be installed within a week. However, we couldn't wait till the new servers take place and sent the newsletter in portions in order not to overload current servers and in order to inform our clients in advance.

Even if we had the new servers in place now we would send the newsletter in portions as we shouldn't forget that not every X-Cart user has skills to apply the patch and there will be a considerable amount of people who will want us to apply the patch despite of any manual, readme file, etc. We should think about them as well.

Our experience shows that sending newsletters in portions is the best way in such situation even if information about the issue is available publicly.

Informing and helping tens thousands people worldwide is not that easy task as it may seem at 1st glance. We are doing our best but we have to remember about back side of any action we are thinking to take.



First of all we are not hiding our heads in sand in this situation. We are going to answer all the questions asked here. At the moment I can say you nothing as we are collecting information about each case posted here. Some guys try to upgrade or apply the patch on a heavily customized X-Cart or X-Cart powered by 3rd party add-ons which change some affected files. But there is a number of guys who cannot apply the patch on standard X-Cart even. Anyway, we need to see full picture before making any conclusion.

Give us some time and we'll get back to you with our answers.

Re: security-patch-2007-10-29.tgz
 

2carpeperdiem

Jeremy, this is our next step. I mean using an external sending service (I am responsible for this in Qualiteam), but the 1st one - changing servers + remember about the number of online merchants using X-Cart and that we need to sleep a bit sometimes :)

Re: security-patch-2007-10-29.tgz
 

Dont get me wrong, I never said you were hiding your heads just that we should not be in this situation so far down the line with xcart and qualiteam. You are not a young company.

The main problem seems to come from releasing a patch or upgrade pack that is full of problems even on a fresh install (not that Ive tested it just from what Ive read here)

yes supporting many users is not a simple thing but you can cut down on the amount of support you give by making things work better in the first place. again not a simple task but something like a security patch should be an easy thing to do.

As for the problems of patching hundreds of clients sites.. If your getting paid for it then get some temporary staff in.

As developers many of us are in a similar situation to you and we are in part responsible for more then a single site so making sure that an upgrade or security fix is not going to bring down a clients site or cause extra headaches is paramount. We must be able to rely on you in situations like this.

My main reason for chipping in here is that I notice many seasoned xcart developers having issues and not your average jo just not understanding what a diff file is

Look forward to seeing what you find out.

Re: security-patch-2007-10-29.tgz
 

All we are asking for is a set of .diff files for each version that actually WORK on a fresh install of X-Cart. We can handle manually patching stores that are highly custom, but the patches you issued the other day do not even work on a fresh install.