X-Cart: shopping cart software

X-Cart forums (https://forum.x-cart.com/index.php)
-   News and Announcements (https://forum.x-cart.com/forumdisplay.php?f=28)
-   -   X-Cart 4.7.11 and Security Patches (https://forum.x-cart.com/showthread.php?t=76933)

mvs 04-25-2019 07:06 AM

X-Cart 4.7.11 and Security Patches
 
Hi fellow X-Carters,

We’ve just released X-Cart v4.7.11. We have also prepared some security patches for X-Cart v4.4.0 and higher. You might want to check out the blog post on both: https://www.x-cart.com/blog/x-cart-v4-7-11-and-security-patches.html

mvs 04-25-2019 07:21 AM

Re: X-Cart 4.7.11 and Security Patches
 
Changelog:

*BACKOFFICE*
[*] 22 Feb 2019, aim - Improvement (Y:148789): Main page :: Edit languages admin/languages.php did not work when there was a language cookie like en_US. Fixed.[*] 31 Jan 2019, aim - Improvement (Y:148757): Multiple addresses are not allowed to be used in fields like 'Site administrator email address' / 'Users department email address' / '"From" email address'.[*] 29 Jan 2019, aim - Improvement (Y:148769): Warning related to php.net/eol.php updated for PHP7.1.x.
[!] 30 Jan 2019, aim - Bug (Y:148746): The Admin area did not work behind Cloudflare. Fixed. The error was 'It seems your IP address has changed. For security reasons your user session has been terminated by the session protection mechanism (PROTECT_XID_BY_IP)'.....
[!] 29 Jan 2019, aim - Bug (Y:148767): PHP Fatal error related to the 'Delete all orders' feature: Uncaught Error: Call to undefined method XCCostChange::deleteOrder() in include/orders_deleteall.php:106. Fixed.

*USERS*
[*] 11 Feb 2019, aim - Improvement (Y:148779): Login history is now IPv6 compatible.

*PAYMENTS*
[*] 10 Apr 2019, aim - Improvement (Y:148766): Apple Pay/Visa Checkout is now available through the new Elavon Converge Hosted Payments Page payment gateway.[*] 19 Feb 2019, aim - Improvement (Y:148783): [Socialize] Removed Google+ as deprecated. [Google plus][*] 12 Feb 2019, aim - Improvement (Y:148770): AuthorizeNet - SIM: Changed HMAC-MD5 to HMAC-SHA512 for Unique Transaction Fingerprint using a Signature Key https://support.authorize.net/s/article/What-is-a-Signature-Key[*] 09 Feb 2019, aim - Imrovement (Y:1487770: [Ingenico ePayments e-Commerce] (former Ogone - Web Based) updated to support UTF8 (International names).
[!] 14 Mar 2019, aim - Bug (Y:148797 B:0050537): [PayPal Payments Advanced / Partner Hosted with PCI Compliance][Payflow API] Error 'Field format error: Request is too large to process' for large carts. Fixed.
[!] 29 Jan 2019, aim - Bug (Y:148759): AuthorizeNet eCheck: Authorize.Net is phasing out the MD5 based hash use for transaction response verification in favor of the SHA-512 based hash utilizing a Signature Key. Adjusted.
[!] 11 Feb 2019, aim - Bug (Y:148778): [PayPal]. Sometimes orders failed with the error 'Declined: Payment amount mismatch: wrong order currency'. Fixed.
[!] 11 Feb 2019, aim - Bug (Y:148771): [PayPal] Website Payments Pro Hosted in mobile. Orders were declined sometimes. Fixed. Thanks to Chemisk.
[!] 01 Feb 2019, aim - Bug (Y:148739): [PayPal Express]. "Error Invalid Data: This transaction cannot be processed. The amount to be charged is zero". Orders paid partially with a Gift certificate were not processed via PayPal sometimes. Fixed. Thanks to Mixon.
[!] 29 Oct 2018, aim - Bug (Y:148728, B:0050101): [Sage Pay Go - Form protocol] did not work under PHP7.2/PHP7.3 with OpenSSL. Payment amount mismatch: wrong order total error related to VISA cards. Fixed.

*SHIPPING*
[*] 26 Feb 2019, aim - Improvement (Y:148625 B:0043214): For defined methods, the total order weight is now taken into account when real-time shipping calculation is disabled (so that the shipping methods with weight limits will show only when total cart weight is within the limits).
[!] 14 Jan 019, aim - Bug (Y:148751): USPS Delivery to the United Kingdom/Swaziland/Guernsey/Isle of Man/Jersey/Tokelau was broken. Fixed.

*CHECKOUT*
[!] 19 Dec 2018, aim - Bug (Y:148740): [Amazon_Payments_Advanced] A wrong payment method was displayed in orders when the regular checkout flow was used. Fixed.

*MODULES/ADD-ONS*
*Advanced Customer Reviews*
[*] 16 Jan 2019, aim - Improvement (Y:148755): Advanced Customer Reviews and Customer Reviews are IPv6 compatible now.
*Amazon Feeds*
[*] 15 Mar 2019, aim - Improvement (Y:148799, Y:148793): [Amazon_Feeds] supports United Arab Emirates (U.A.E.) now. Changes for Canada and Mexico endpoints.
[*] 25 Jan 2019, aim - Improvement (Y:148737): [Amazon Feeds] Added the categories CellularPhoneCase/ScreenProtector, LightMotor/LightMotorVehicle, NetworkAdapter, Industrial/AdhesiveTapes. [Amazon_Feeds]
*Amazon Payments Advanced*
[*] 22 Mar 2019, aim - Improvement (Y:148800): [Amazon_Payments_Advanced] Amazon Pay Strong Customer Authentication (SCA). https://pay.amazon.com/uk/help/JE5KSJW4SFH2UM8#PSD2_SCA . [Second Payments Services Directive (PSD2)]
*Detailed Product Images*
[*] 26 Oct 2018, aim - Improvement (Y:148729): [Detailed Product Images] jQuery Colorbox widget updated from v1.3.15 to 1.6.4. Retina display support added.
*EU Cookie Law / GDPR-friendly*
[!] 11 Feb 2019, aim - Bug (Y:148780): [EU_Cookie_Law GDPR] REGEXP_REPLACE does not exist sql error. Fixed.
*Flyout Menus*
[!] 23 Jan 2019, aim - Bug (Y:148760): [Flyout Menus] Wrong product count was shown for a category when the setting 'Show products which are out of stock' was disabled. Fixed.
*Gift Certificates*
[!] 01 Feb 2019, aim - Bug (Y:148772): [Gift Certificates] There was no ability to unset certificates if the module 'Discount Coupons' was disabled. Fixed.
*Mailchimp*
[*] 07 Nov 2018, aim - Improvement (Y:148733): [Adv_Mailchimp_Subscription] A better text added on the 'Thank you for subscription' page. 'Please confirm subscription by clicking the "Yes, subscribe me to this list."....'
[!] 18 Dec 2018, aim - Bug (Y:148747, B:0050227): [Mailchimp] subscription was broken. "Timestamp_signup". "This value is not a valid datetime". Thanks to Joe Funderburg (Cherie).
*MultiCurrency*
[!] 18 Feb 2019, aim - Bug (Y:148782, B:0050472): [XMultiCurrency] Free API key is required now for http://free.currencyconverterapi.com/ service. Fixed. API version changed from v3 to v6.
*Product Notifications*
[!] 02 Apr 2019, aim - Bug (Y:148803, B:0050541): [Product Notifications] bug. Low stock notifications did not work. Fixed. [Product_Notifications]
*Survey*
[*] 16 Jan 2019, aim - Improvement (Y:148756): [Survey] module is IPv6 compatible now.
*TaxCloud*
[!] 08 Apr 2019, aim - Bug (Y:148805, B:0050579): [TaxCloud] Duplicate Lookup API calls. Fixed.
*X-PDF Invoices*
[*] 09 Apr 2019, aim - Improvement (Y:148806): [X-PDF] works on PHP7.3 now. mpdf has been updated from version 6.1.4 to 8.0.0. It requires, at the minimum, PHP version 5.6, and has been tested with PHP version up to 7.3. [XPDF]. Minor. [PHP 73 compatible][PHP 72 compatible][PHP 71 compatible].

*IMPORT/EXPORT*
[*] 18 Feb 2019, aim - Improvement (Y:148786): [Detailed Product Images] Images are now not duplicated during import.

*PERFORMANCE*
[*] 01 Apr 2019, aim - Improvement (Y:148802, B:0050565): Optimization for image.php.[*] 25 Feb 2019, aim - Improvement (Y:148792): Small storefront optimization.[*] 14 Feb 2019, aim - Improvement (Y:148784): [SEO] Google PageSpeed Insights improvement. Removed the 'combine,minify,optimize' option for the "Use speed-up tool for CSS" setting due to the changes in the 'Google PageSpeed Insights' algorithms.[*] 11 Feb 2019, aim - Improvement (Y:148776): The field xcart_products.rating is now not updated when an order is placed to avoid query cache invalidation. Thanks to Abr.[*] 04 Feb 2019, aim - Improvement (Y:148773): [Special_Offers] Huge optimization for the Special_Offers module.[*] 29 Jan 2019, aim - Improvement (Y:148768): Core optimization related to x_load and xcart_config - db_fetch_all.[*] 30 Oct 2018, aim - Improvement (Y:148730): Bot signatures updated. Added MJ12bot SEMrushBot and others. It helps to reduce the amount of MySQL queries. https://forum.x-cart.com/showpost.php?p=409355&postcount=25

*SECURITY*
[*] 25 Jan 2019, aim - Improvement (Y:148764): Possibility of SQL injection. Fixed.[*] 16 Nov 2019, aim - Improvement (Y:148736): Updated PHPMailer version from 5.2.26 to 5.2.27 . Fixed a potential security issue. (Stores with the setting 'Use SMTP server instead of internal PHP mailer' enabled are affected.)

*MISCELLANEOUS*
[*] 14 Mar 2019, aim - Improvement (Y:148798): Renamed Macedonia to North Macedonia.[*] 14 Dec 2018, aim - Improvement (Y:148069): jQuery updated to version 3.4.0. (The previous jQuery version was shown to be a potential risk for Cross-Site Scripting attacks according to the results of a Trustwave scan performed by one of our clients. The update remedies the situation.)
[!] 04 Mar 2019, aim - Bug (Y:148742): PHP7.3 minor bugfix related to PCRE2. PHP7.3 critical bugfix related to PCRE2. Compilation failed: invalid range in character class at offset. Product_Options. Add option group. [PHP 73 compatible]
[!] 21 Feb 2019, aim - Bug (Y:148788): All the HTTPS modules except libCURL sometimes did not work correctly with the HTTP/1.1 100 Continue header. Fixed.
[!] 18 Jan 2019, aim - Bug (Y:148753): 'Automatically convert CSS to inline styles in HTML emails' did not work in PHP7.3 PHP73. Warning: preg_match(): Compilation failed: invalid range in character class at offset 4 in include/lib/cssin/vendor/simple_html_dom/simple_html_dom.php on line 1364. Fixed.

Eyeglasses Expert 04-25-2019 09:48 AM

Re: X-Cart 4.7.11 and Security Patches
 
great, I will try this new version right away!
does this version supports php7.3?

mvs 04-25-2019 07:53 PM

Re: X-Cart 4.7.11 and Security Patches
 
Quote:

Originally Posted by Eyeglasses Expert
great, I will try this new version right away!
does this version supports php7.3?

4.7.11 fully supports PHP 7.3
Please let me know what do you think about the release.

DanUK 04-26-2019 03:07 AM

Re: X-Cart 4.7.11 and Security Patches
 
I have an older 4.6.1. Patches work fine up until the jquery-min.js patch. It won't patch as it is different from what it is expecting but if I just replace it, I get some oddities on the front end of the shop but also this message pop up on the admin side:


Quote:

blcckUI requires jQuery v1.2.3 or later! You are using v1.10.2


It has replaced v1.7.1 where it works normally if I reinstate it.


I'm guessing this will ultimately require tech support installation but just wondering if this message points to anything I can fix?



Thanks


Dan

aim 04-26-2019 04:34 AM

Re: X-Cart 4.7.11 and Security Patches
 
Quote:

Originally Posted by DanUK
I have an older 4.6.1. Patches work fine up until the jquery-min.js patch. It won't patch as it is different from what it is expecting but if I just replace it, I get some oddities on the front end of the shop but also this message pop up on the admin side:





It has replaced v1.7.1 where it works normally if I reinstate it.


I'm guessing this will ultimately require tech support installation but just wondering if this message points to anything I can fix?



Thanks


Dan


Hello,

You can add the code
Code:

;jQuery.ajaxPrefilter( function( s ) { if ( s.crossDomain ) { s.contents.script = false; } } );

right at the end of the files
skin/common_files/lib/jquery-min.js
skin/common_files/lib/jquery-min.1x.js (if exists)

Thank you.

DanUK 04-26-2019 05:48 AM

Re: X-Cart 4.7.11 and Security Patches
 
Thanks Ildar, is that added to the existing file or the new one?



Dan

cjstancil 04-26-2019 06:11 AM

Re: X-Cart 4.7.11 and Security Patches
 
1 Attachment(s)
I'm manually applying the patch security-jquery-sql_injection-2019-04-25_4.7.10. When I patched the jquery-min.js file (which basically replaced the entire contents of that file if I understand this correctly) I'm getting a red X box in my cPanel File Manager editor saying that there's a missing semicolon.

Attached is a screen capture. Am I doing something wrong? I literally just deleted the old contents and replaced it with the patch file contents starting with !function...

aim 04-28-2019 08:48 PM

Re: X-Cart 4.7.11 and Security Patches
 
Hello Dan and Chuck,

The code
Code:

;jQuery.ajaxPrefilter( function( s ) { if ( s.crossDomain ) { s.contents.script = false; } } );

has to be added to the existing jquery-min.js

1) Make a backup of your skin/common_files/lib/jquery-min.js file.
2) Open it in a text editor
3) Add the code above right at the end of the file.
4) Apply the security-jquery-sql_injection-2019-04-25 patch to other files.

Thank you.

DanUK 04-29-2019 12:50 AM

Re: X-Cart 4.7.11 and Security Patches
 
Thanks, I have appended the code and it seems to work. I wasn't sure if the double semi-colon scenario is a problem, file ends like this:





{return f})})(window);




and if I append the aforementioned code to it I get:


{return f})})(window);;jQuery.ajaxPrefilter( function( s ) { if ( s.crossDomain ) { s.contents.script = false; } } );

Is the underlined double semi-colon a problem i.e. should there be only one?


All times are GMT -8. The time now is 08:58 AM.

Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.