X-Cart: shopping cart software

X-Cart forums (https://forum.x-cart.com/index.php)
-   News and Announcements (https://forum.x-cart.com/forumdisplay.php?f=28)
-   -   security-patch-2007-06-20 (https://forum.x-cart.com/showthread.php?t=31988)

carpeperdiem 06-21-2007 07:50 AM
security-patch-2007-06-20
 
Thee is a new security patch, identified as "SEVERITY: Critical" for users of 4.1.7

It should be in your file area.

security-patch-2007-06-20

One comment:

In the install instructions, it states:
Quote:
2. If the version of your X-Cart is 4.1.7, replace the file <xcart_dir>/include/login.php with the file include/login.php from this patch.
If you have a modified login.php, you must not do this, and instead, do a compare and manually decide what code to upgrade.

CDSEO, "Remember Me" and other mods/hacks (including a redirect to a static page after logout) all have modified login.php, so don't forget to backup, and be careful out there.

Thank you to x-cart for the patch -- (for those of us using 4.1.7 that are not prepared to upgrade to 4.1.8 just yet)

Jon 06-21-2007 08:54 AM
Re: security-patch-2007-06-20
 
Note that CDSEO by default does not modify login.php, only a custom hack in carpeperdium's site does :)

carpeperdiem 06-21-2007 09:09 AM
Re: security-patch-2007-06-20
 
Jon,

What custom hack is that? Should I open a ticket? Did the "old" cdseo not get removed when you made this version 2?

Thanks

Jeremy

Jon 06-21-2007 10:00 AM
Re: security-patch-2007-06-20
 
It was an issue with your site only. I'll PM you so as not to take this thread off topic.

oates 06-21-2007 11:22 AM
Re: security-patch-2007-06-20
 
so just to be sure, it is only 4.1.7 affected, not previous 4.1's.

thanks

carpeperdiem 06-21-2007 03:35 PM
Re: security-patch-2007-06-20
 
Quote:
Originally Posted by Jon
It was an issue with your site only. I'll PM you so as not to take this thread off topic.

Thank you, Jon, for your help here... turns out we were able to remove all cdseo code from my login.php file

For anyone keeping score, it looks like there were changes to login.php since February 2007 (not documented in the changelog), and this negated the cdseo code required to do the "confirmation page at logout hack".

I installed this new security-patch-2007-06-20, added the "remember me" code, added a minor "logout redirect" hack, and all's fine.

Anyone who's hacked their login.php may want to revisit this file, since it appears x-cart made some undocumented improvements that allowed me to remove a bunch of unnecessary code. Thank you, I guess. ;)

bigredseo 06-26-2007 11:42 AM
Re: security-patch-2007-06-20
 
Just bringing up the previous posting:

QUOTE:
so just to be sure, it is only 4.1.7 affected, not previous 4.1's.
END QUOTE

So, was this ONLY for 4.1.7 or all 4.1.x versions?

carpeperdiem 06-26-2007 12:15 PM
Re: security-patch-2007-06-20
 
The way I read it, yes, for 4.1.7 only. Maybe x-cart can clarify?

Ene 06-26-2007 08:59 PM
Re: security-patch-2007-06-20
 
Quote:
Originally Posted by carpeperdiem
The way I read it, yes, for 4.1.7 only. Maybe x-cart can clarify?

You're right.
This security patch is for 4.1.7 only.


All times are GMT -8. The time now is 02:11 AM.

Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.