X-Cart: shopping cart software

X-Cart forums (https://forum.x-cart.com/index.php)
-   News and Announcements (https://forum.x-cart.com/forumdisplay.php?f=28)
-   -   X-Cart 4.7.11 and Security Patches (https://forum.x-cart.com/showthread.php?t=76933)

mvs 04-25-2019 07:06 AM

X-Cart 4.7.11 and Security Patches
 
Hi fellow X-Carters,

We’ve just released X-Cart v4.7.11. We have also prepared some security patches for X-Cart v4.4.0 and higher. You might want to check out the blog post on both: https://www.x-cart.com/blog/x-cart-v4-7-11-and-security-patches.html

mvs 04-25-2019 07:21 AM

Re: X-Cart 4.7.11 and Security Patches
 
Changelog:

*BACKOFFICE*
[*] 22 Feb 2019, aim - Improvement (Y:148789): Main page :: Edit languages admin/languages.php did not work when there was a language cookie like en_US. Fixed.[*] 31 Jan 2019, aim - Improvement (Y:148757): Multiple addresses are not allowed to be used in fields like 'Site administrator email address' / 'Users department email address' / '"From" email address'.[*] 29 Jan 2019, aim - Improvement (Y:148769): Warning related to php.net/eol.php updated for PHP7.1.x.
[!] 30 Jan 2019, aim - Bug (Y:148746): The Admin area did not work behind Cloudflare. Fixed. The error was 'It seems your IP address has changed. For security reasons your user session has been terminated by the session protection mechanism (PROTECT_XID_BY_IP)'.....
[!] 29 Jan 2019, aim - Bug (Y:148767): PHP Fatal error related to the 'Delete all orders' feature: Uncaught Error: Call to undefined method XCCostChange::deleteOrder() in include/orders_deleteall.php:106. Fixed.

*USERS*
[*] 11 Feb 2019, aim - Improvement (Y:148779): Login history is now IPv6 compatible.

*PAYMENTS*
[*] 10 Apr 2019, aim - Improvement (Y:148766): Apple Pay/Visa Checkout is now available through the new Elavon Converge Hosted Payments Page payment gateway.[*] 19 Feb 2019, aim - Improvement (Y:148783): [Socialize] Removed Google+ as deprecated. [Google plus][*] 12 Feb 2019, aim - Improvement (Y:148770): AuthorizeNet - SIM: Changed HMAC-MD5 to HMAC-SHA512 for Unique Transaction Fingerprint using a Signature Key https://support.authorize.net/s/article/What-is-a-Signature-Key[*] 09 Feb 2019, aim - Imrovement (Y:1487770: [Ingenico ePayments e-Commerce] (former Ogone - Web Based) updated to support UTF8 (International names).
[!] 14 Mar 2019, aim - Bug (Y:148797 B:0050537): [PayPal Payments Advanced / Partner Hosted with PCI Compliance][Payflow API] Error 'Field format error: Request is too large to process' for large carts. Fixed.
[!] 29 Jan 2019, aim - Bug (Y:148759): AuthorizeNet eCheck: Authorize.Net is phasing out the MD5 based hash use for transaction response verification in favor of the SHA-512 based hash utilizing a Signature Key. Adjusted.
[!] 11 Feb 2019, aim - Bug (Y:148778): [PayPal]. Sometimes orders failed with the error 'Declined: Payment amount mismatch: wrong order currency'. Fixed.
[!] 11 Feb 2019, aim - Bug (Y:148771): [PayPal] Website Payments Pro Hosted in mobile. Orders were declined sometimes. Fixed. Thanks to Chemisk.
[!] 01 Feb 2019, aim - Bug (Y:148739): [PayPal Express]. "Error Invalid Data: This transaction cannot be processed. The amount to be charged is zero". Orders paid partially with a Gift certificate were not processed via PayPal sometimes. Fixed. Thanks to Mixon.
[!] 29 Oct 2018, aim - Bug (Y:148728, B:0050101): [Sage Pay Go - Form protocol] did not work under PHP7.2/PHP7.3 with OpenSSL. Payment amount mismatch: wrong order total error related to VISA cards. Fixed.

*SHIPPING*
[*] 26 Feb 2019, aim - Improvement (Y:148625 B:0043214): For defined methods, the total order weight is now taken into account when real-time shipping calculation is disabled (so that the shipping methods with weight limits will show only when total cart weight is within the limits).
[!] 14 Jan 019, aim - Bug (Y:148751): USPS Delivery to the United Kingdom/Swaziland/Guernsey/Isle of Man/Jersey/Tokelau was broken. Fixed.

*CHECKOUT*
[!] 19 Dec 2018, aim - Bug (Y:148740): [Amazon_Payments_Advanced] A wrong payment method was displayed in orders when the regular checkout flow was used. Fixed.

*MODULES/ADD-ONS*
*Advanced Customer Reviews*
[*] 16 Jan 2019, aim - Improvement (Y:148755): Advanced Customer Reviews and Customer Reviews are IPv6 compatible now.
*Amazon Feeds*
[*] 15 Mar 2019, aim - Improvement (Y:148799, Y:148793): [Amazon_Feeds] supports United Arab Emirates (U.A.E.) now. Changes for Canada and Mexico endpoints.
[*] 25 Jan 2019, aim - Improvement (Y:148737): [Amazon Feeds] Added the categories CellularPhoneCase/ScreenProtector, LightMotor/LightMotorVehicle, NetworkAdapter, Industrial/AdhesiveTapes. [Amazon_Feeds]
*Amazon Payments Advanced*
[*] 22 Mar 2019, aim - Improvement (Y:148800): [Amazon_Payments_Advanced] Amazon Pay Strong Customer Authentication (SCA). https://pay.amazon.com/uk/help/JE5KSJW4SFH2UM8#PSD2_SCA . [Second Payments Services Directive (PSD2)]
*Detailed Product Images*
[*] 26 Oct 2018, aim - Improvement (Y:148729): [Detailed Product Images] jQuery Colorbox widget updated from v1.3.15 to 1.6.4. Retina display support added.
*EU Cookie Law / GDPR-friendly*
[!] 11 Feb 2019, aim - Bug (Y:148780): [EU_Cookie_Law GDPR] REGEXP_REPLACE does not exist sql error. Fixed.
*Flyout Menus*
[!] 23 Jan 2019, aim - Bug (Y:148760): [Flyout Menus] Wrong product count was shown for a category when the setting 'Show products which are out of stock' was disabled. Fixed.
*Gift Certificates*
[!] 01 Feb 2019, aim - Bug (Y:148772): [Gift Certificates] There was no ability to unset certificates if the module 'Discount Coupons' was disabled. Fixed.
*Mailchimp*
[*] 07 Nov 2018, aim - Improvement (Y:148733): [Adv_Mailchimp_Subscription] A better text added on the 'Thank you for subscription' page. 'Please confirm subscription by clicking the "Yes, subscribe me to this list."....'
[!] 18 Dec 2018, aim - Bug (Y:148747, B:0050227): [Mailchimp] subscription was broken. "Timestamp_signup". "This value is not a valid datetime". Thanks to Joe Funderburg (Cherie).
*MultiCurrency*
[!] 18 Feb 2019, aim - Bug (Y:148782, B:0050472): [XMultiCurrency] Free API key is required now for http://free.currencyconverterapi.com/ service. Fixed. API version changed from v3 to v6.
*Product Notifications*
[!] 02 Apr 2019, aim - Bug (Y:148803, B:0050541): [Product Notifications] bug. Low stock notifications did not work. Fixed. [Product_Notifications]
*Survey*
[*] 16 Jan 2019, aim - Improvement (Y:148756): [Survey] module is IPv6 compatible now.
*TaxCloud*
[!] 08 Apr 2019, aim - Bug (Y:148805, B:0050579): [TaxCloud] Duplicate Lookup API calls. Fixed.
*X-PDF Invoices*
[*] 09 Apr 2019, aim - Improvement (Y:148806): [X-PDF] works on PHP7.3 now. mpdf has been updated from version 6.1.4 to 8.0.0. It requires, at the minimum, PHP version 5.6, and has been tested with PHP version up to 7.3. [XPDF]. Minor. [PHP 73 compatible][PHP 72 compatible][PHP 71 compatible].

*IMPORT/EXPORT*
[*] 18 Feb 2019, aim - Improvement (Y:148786): [Detailed Product Images] Images are now not duplicated during import.

*PERFORMANCE*
[*] 01 Apr 2019, aim - Improvement (Y:148802, B:0050565): Optimization for image.php.[*] 25 Feb 2019, aim - Improvement (Y:148792): Small storefront optimization.[*] 14 Feb 2019, aim - Improvement (Y:148784): [SEO] Google PageSpeed Insights improvement. Removed the 'combine,minify,optimize' option for the "Use speed-up tool for CSS" setting due to the changes in the 'Google PageSpeed Insights' algorithms.[*] 11 Feb 2019, aim - Improvement (Y:148776): The field xcart_products.rating is now not updated when an order is placed to avoid query cache invalidation. Thanks to Abr.[*] 04 Feb 2019, aim - Improvement (Y:148773): [Special_Offers] Huge optimization for the Special_Offers module.[*] 29 Jan 2019, aim - Improvement (Y:148768): Core optimization related to x_load and xcart_config - db_fetch_all.[*] 30 Oct 2018, aim - Improvement (Y:148730): Bot signatures updated. Added MJ12bot SEMrushBot and others. It helps to reduce the amount of MySQL queries. https://forum.x-cart.com/showpost.php?p=409355&postcount=25

*SECURITY*
[*] 25 Jan 2019, aim - Improvement (Y:148764): Possibility of SQL injection. Fixed.[*] 16 Nov 2019, aim - Improvement (Y:148736): Updated PHPMailer version from 5.2.26 to 5.2.27 . Fixed a potential security issue. (Stores with the setting 'Use SMTP server instead of internal PHP mailer' enabled are affected.)

*MISCELLANEOUS*
[*] 14 Mar 2019, aim - Improvement (Y:148798): Renamed Macedonia to North Macedonia.[*] 14 Dec 2018, aim - Improvement (Y:148069): jQuery updated to version 3.4.0. (The previous jQuery version was shown to be a potential risk for Cross-Site Scripting attacks according to the results of a Trustwave scan performed by one of our clients. The update remedies the situation.)
[!] 04 Mar 2019, aim - Bug (Y:148742): PHP7.3 minor bugfix related to PCRE2. PHP7.3 critical bugfix related to PCRE2. Compilation failed: invalid range in character class at offset. Product_Options. Add option group. [PHP 73 compatible]
[!] 21 Feb 2019, aim - Bug (Y:148788): All the HTTPS modules except libCURL sometimes did not work correctly with the HTTP/1.1 100 Continue header. Fixed.
[!] 18 Jan 2019, aim - Bug (Y:148753): 'Automatically convert CSS to inline styles in HTML emails' did not work in PHP7.3 PHP73. Warning: preg_match(): Compilation failed: invalid range in character class at offset 4 in include/lib/cssin/vendor/simple_html_dom/simple_html_dom.php on line 1364. Fixed.

Eyeglasses Expert 04-25-2019 09:48 AM

Re: X-Cart 4.7.11 and Security Patches
 
great, I will try this new version right away!
does this version supports php7.3?

mvs 04-25-2019 07:53 PM

Re: X-Cart 4.7.11 and Security Patches
 
Quote:

Originally Posted by Eyeglasses Expert
great, I will try this new version right away!
does this version supports php7.3?

4.7.11 fully supports PHP 7.3
Please let me know what do you think about the release.

DanUK 04-26-2019 03:07 AM

Re: X-Cart 4.7.11 and Security Patches
 
I have an older 4.6.1. Patches work fine up until the jquery-min.js patch. It won't patch as it is different from what it is expecting but if I just replace it, I get some oddities on the front end of the shop but also this message pop up on the admin side:


Quote:

blcckUI requires jQuery v1.2.3 or later! You are using v1.10.2


It has replaced v1.7.1 where it works normally if I reinstate it.


I'm guessing this will ultimately require tech support installation but just wondering if this message points to anything I can fix?



Thanks


Dan

aim 04-26-2019 04:34 AM

Re: X-Cart 4.7.11 and Security Patches
 
Quote:

Originally Posted by DanUK
I have an older 4.6.1. Patches work fine up until the jquery-min.js patch. It won't patch as it is different from what it is expecting but if I just replace it, I get some oddities on the front end of the shop but also this message pop up on the admin side:





It has replaced v1.7.1 where it works normally if I reinstate it.


I'm guessing this will ultimately require tech support installation but just wondering if this message points to anything I can fix?



Thanks


Dan


Hello,

You can add the code
Code:

;jQuery.ajaxPrefilter( function( s ) { if ( s.crossDomain ) { s.contents.script = false; } } );

right at the end of the files
skin/common_files/lib/jquery-min.js
skin/common_files/lib/jquery-min.1x.js (if exists)

Thank you.

DanUK 04-26-2019 05:48 AM

Re: X-Cart 4.7.11 and Security Patches
 
Thanks Ildar, is that added to the existing file or the new one?



Dan

cjstancil 04-26-2019 06:11 AM

Re: X-Cart 4.7.11 and Security Patches
 
1 Attachment(s)
I'm manually applying the patch security-jquery-sql_injection-2019-04-25_4.7.10. When I patched the jquery-min.js file (which basically replaced the entire contents of that file if I understand this correctly) I'm getting a red X box in my cPanel File Manager editor saying that there's a missing semicolon.

Attached is a screen capture. Am I doing something wrong? I literally just deleted the old contents and replaced it with the patch file contents starting with !function...

aim 04-28-2019 08:48 PM

Re: X-Cart 4.7.11 and Security Patches
 
Hello Dan and Chuck,

The code
Code:

;jQuery.ajaxPrefilter( function( s ) { if ( s.crossDomain ) { s.contents.script = false; } } );

has to be added to the existing jquery-min.js

1) Make a backup of your skin/common_files/lib/jquery-min.js file.
2) Open it in a text editor
3) Add the code above right at the end of the file.
4) Apply the security-jquery-sql_injection-2019-04-25 patch to other files.

Thank you.

DanUK 04-29-2019 12:50 AM

Re: X-Cart 4.7.11 and Security Patches
 
Thanks, I have appended the code and it seems to work. I wasn't sure if the double semi-colon scenario is a problem, file ends like this:





{return f})})(window);




and if I append the aforementioned code to it I get:


{return f})})(window);;jQuery.ajaxPrefilter( function( s ) { if ( s.crossDomain ) { s.contents.script = false; } } );

Is the underlined double semi-colon a problem i.e. should there be only one?

aim 04-29-2019 05:43 AM

Re: X-Cart 4.7.11 and Security Patches
 
The double semi-colon is not a problem.

Thank you.

Eyeglasses Expert 05-06-2019 05:19 AM

Re: X-Cart 4.7.11 and Security Patches
 
1 Attachment(s)
new installation errors:
Code:

xcart_data.sql .......

[FAILED]

Duplicate entry 'applied_patches' for key 'PRIMARY' at line sql/xcart_data.sql:168
INSERT INTO xcart_config VALUES ('applied_patches','All applied patches separated by comma','','',0,'text','','','','')





i am using php7.0, mysql 5.6, centos6.8

aim 05-06-2019 05:35 AM

Re: X-Cart 4.7.11 and Security Patches
 
Quote:

Originally Posted by Eyeglasses Expert
new installation errors:
Code:

xcart_data.sql .......

 
[FAILED]

 
Duplicate entry 'applied_patches' for key 'PRIMARY' at line sql/xcart_data.sql:168
INSERT INTO xcart_config VALUES ('applied_patches','All applied patches separated by comma','','',0,'text','','','','')






i am using php7.0, mysql 5.6, centos6.8





I have adjusted sql/xcart_data.sql
Sorry for that.
Please download the new package from your file area.



Thank you.

Dougrun 05-13-2019 07:52 AM

Re: X-Cart 4.7.11 and Security Patches
 
My Pay by amazon fails now after the upgrade. It will authorize the charge, then give a "website not found" error and not-finish the order. If I try and re-install it, it says my version does not match the version installed. 4.6.3 is whats in the file area.

mvs 05-13-2019 08:04 AM

Re: X-Cart 4.7.11 and Security Patches
 
Quote:

Originally Posted by Dougrun
My Pay by amazon fails now after the upgrade. It will authorize the charge, then give a "website not found" error and not-finish the order. If I try and re-install it, it says my version does not match the version installed. 4.6.3 is whats in the file area.

Thank you for reporting the problem. We will investigate the issue.

Dougrun 05-13-2019 08:19 AM

Re: X-Cart 4.7.11 and Security Patches
 
I also tried it with the 4.6.4 patch and same thing.

Tim Soles 05-14-2019 01:30 AM

Re: X-Cart 4.7.11 and Security Patches
 
We are currently testing using PHP 7 2.7 and SagePay is failing when using the Edge browser. Firefox and IE work OK. Haven't tried any other browsers.

When you click the Submit order button it goes to the SagePay site but there is a large 'Error Processing Transaction' message. The Status Detail is '5080: Form transaction registration failed'

Dougrun 05-14-2019 08:51 AM

Re: X-Cart 4.7.11 and Security Patches
 
Quote:

Originally Posted by Dougrun
I also tried it with the 4.6.4 patch and same thing.





The new payment_tab.tpl will not show the integration URLS when clicked, i switched back to the old version. Still broken though.

aim 05-14-2019 11:03 PM

Re: X-Cart 4.7.11 and Security Patches
 
Hello,

Quote:

Originally Posted by Dougrun
My Pay by amazon fails now after the upgrade. It will authorize the charge, then give a "website not found" error and not-finish the order. If I try and re-install it, it says my version does not match the version installed. 4.6.3 is whats in the file area.


I am working on it.
Don't use the old archives from the file area.
'Amazon Pay' module is in the kernel and isn't distributed separately.

Quote:

Originally Posted by Tim Soles
We are currently testing using PHP 7 2.7 and SagePay is failing when using the Edge browser. Firefox and IE work OK. Haven't tried any other browsers.

When you click the Submit order button it goes to the SagePay site but there is a large 'Error Processing Transaction' message. The Status Detail is '5080: Form transaction registration failed'


I cannot reproduce the problem on Edge version 42.17134.1.0
Could you post a new ticket here
https://bt.x-cart.com/bug_report_page.php?project_id=54&product_version= 4.7.11

Thank you.

elmirage001 05-16-2019 10:44 AM

Re: X-Cart 4.7.11 and Security Patches
 
Just upgraded from 4.7.10 to 4.7.11 and the upgrade process was the easiest I've ever experienced on XC4 having started on v4.1.6

Nice improvements! Thank you X-Cart Team and Phil (reBOOT) !!

Paul

4.7.10 --> 4.7.11

PageSpeed Insights
----------------------
Mobile = 82 --> 88
Desktop = 96 --> 99

GTmetrix
-----------
PageSpeed = A 94% --> A 96%
YSlow = B 85% --> B 87%
Load = 1.9s --> 1.6s
Size = 615kb -->540kb
Requests = 24 --> 23

Lighthouse Mobile
-----------------------
Performance = 96 --> 100
Accessibility = 88 --> 93
Best Practices = 79 --> 79
SEO = 100 --> 100

mvs 05-17-2019 12:04 AM

Re: X-Cart 4.7.11 and Security Patches
 
Quote:

Originally Posted by elmirage001
Just upgraded from 4.7.10 to 4.7.11 and the upgrade process was the easiest I've ever experienced on XC4 having started on v4.1.6

Nice improvements! Thank you X-Cart Team and Phil (reBOOT) !!

Paul


Thank you, your feedback inspires and helps us to move forward together!

aim 05-23-2019 07:07 AM

Re: X-Cart 4.7.11 and Security Patches
 
Quote:

Originally Posted by Tim Soles
We are currently testing using PHP 7 2.7 and SagePay is failing when using the Edge browser. Firefox and IE work OK. Haven't tried any other browsers.

When you click the Submit order button it goes to the SagePay site but there is a large 'Error Processing Transaction' message. The Status Detail is '5080: Form transaction registration failed'


Hello,

We have localized the problem.

The solution is using a unique order prefix for different stores.

The order prefix can be set on the page like
https://site.com/admin/cc_processing.php?mode=update&cc_processor=cc_sage pay_frm.php

Thank you.

Dougrun 05-24-2019 12:26 PM

Re: X-Cart 4.7.11 and Security Patches
 
any progress on the pay by amazon bug?

mvs 05-25-2019 09:55 AM

Re: X-Cart 4.7.11 and Security Patches
 
Quote:

Originally Posted by Dougrun
any progress on the pay by amazon bug?


We solved the problem. But recently we received recommendations from Amazon on how to change the error handling workflow. We're going to roll out the new solution within 2 weeks, which includes fixes.

aim 06-13-2019 12:00 AM

Re: X-Cart 4.7.11 and Security Patches
 
Quote:

Originally Posted by Dougrun
any progress on the pay by amazon bug?


Hello,

I have uploaded the patches here
https://bt.x-cart.com/view.php?id=50781#attachments

Thank you.

Dougrun 06-13-2019 07:47 AM

Re: X-Cart 4.7.11 and Security Patches
 
any chance of getting fully patched files? the versions I have do not have some of the references in your diff file.

Dougrun 06-14-2019 11:26 AM

Re: X-Cart 4.7.11 and Security Patches
 
I updated the error I got using those files on your bugtracker

Dougrun 06-18-2019 01:22 PM

Re: X-Cart 4.7.11 and Security Patches
 
new files work. so 4.7.11 is working. my v5.3.6.1 shop still doesnt work so i have it disabled there. the checkout page opens but shipping charges never show, just spins endlessly.


All times are GMT -8. The time now is 09:23 AM.

Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.