X-Cart forums - POODLE vulnerability in SSLv3

X-Cart forums (https://forum.x-cart.com/index.php)

- X-Payments issues & questions (https://forum.x-cart.com/forumdisplay.php?f=50)

- - POODLE vulnerability in SSLv3 (https://forum.x-cart.com/showthread.php?t=70268)

Re: POODLE vulnerability in SSLv3

Ksenia (or anyone else),

What if any patches need to be made to 4.1.8 connecting to PayPal for credit card processing? I've read through each page of this thread and am not coming up with a clear answer.

Thanks!

Quote:

Originally Posted by Ksenia

The list of patches available:

remove_ssl3-2014-10-30_4.2.3.tgz
remove_ssl3-2014-10-30_4.3.2.tgz
remove_ssl3-2014-10-30_4.4.5.tgz
remove_ssl3-2014-10-30_4.5.0.tgz
remove_ssl3-2014-10-30_4.5.1.tgz
remove_ssl3-2014-10-30_4.5.2.tgz
remove_ssl3-2014-10-30_4.5.3.tgz
remove_ssl3-2014-10-30_4.5.4.tgz
remove_ssl3-2014-10-30_4.5.5.tgz
remove_ssl3-2014-10-30_4.6.0.tgz
remove_ssl3-2014-10-30_4.6.1.tgz
remove_ssl3-2014-10-30_4.6.2.tgz
remove_ssl3-2014-10-30_4.6.3.tgz
remove_ssl3-2014-10-30_4.6.4.tgz

The users of X-Cart 4.3.0 and 4.3.1 should use the patch for v.4.3.2.
The users of X-Cart 4.4.0 - 4.4.4 should use the patch for v.4.4.5.

Most probably you will be able to apply the patch as is. But little patch adaptation for this version may be required.

Re: POODLE vulnerability in SSLv3

Hi When you says 'Paypal Advanced' does this cover paypal express and not paypal standard.

Or is this for paypal login only?

Re: POODLE vulnerability in SSLv3

Quote:

Originally Posted by peakay

Do you have the stock 4.1.8 https modules ?
include/func/func.https_curl.php include/func/func.https_openssl.php
include/func/func.https_libcurl.php include/func/func.https_ssleay.php

Do you have the 'use_ssl' string in the files ?

Code:

aim-server[~/www/xcart_4_6_x]$ grep -r  use_ssl ~/www/xcart/4_6_3_gold/include/func/func.https* 

/home/aim/www/xcart/4_6_3_gold/include/func/func.https_curl.php:function func_https_request_curl($method, $url, $data="", $join="&", $cookie="", $conttype="application/x-www-form-urlencoded", $referer="", $cert="", $kcert="", $headers="", $timeout = 0, $use_ssl3 = false)

/home/aim/www/xcart/4_6_3_gold/include/func/func.https_curl.php:    if ($use_ssl3)

/home/aim/www/xcart/4_6_3_gold/include/func/func.https_libcurl.php:function func_https_request_libcurl($method, $url, $data="", $join="&", $cookie="", $conttype="application/x-www-form-urlencoded", $referer="", $cert="", $kcert="", $headers="", $timeout = 0, $use_ssl3 = false)

/home/aim/www/xcart/4_6_3_gold/include/func/func.https_libcurl.php:    return func_request_libcurl($method, $url, $data, $join, $cookie, $conttype, $referer, $cert, $kcert, $headers, $timeout, $use_ssl3, true);

/home/aim/www/xcart/4_6_3_gold/include/func/func.https_libcurl.php:function func_request_libcurl($method, $url, $data="", $join="&", $cookie="", $conttype="application/x-www-form-urlencoded", $referer="", $cert="", $kcert="", $headers="", $timeout = 0, $use_ssl3 = false, $_https=true)

/home/aim/www/xcart/4_6_3_gold/include/func/func.https_libcurl.php:    if ($use_ssl3)

/home/aim/www/xcart/4_6_3_gold/include/func/func.https_openssl.php:function func_https_request_openssl($method, $url, $data="", $join="&", $cookie="", $conttype="application/x-www-form-urlencoded", $referer="", $cert="", $kcert="", $headers="", $timeout = 0, $use_ssl3 = false)

/home/aim/www/xcart/4_6_3_gold/include/func/func.https_openssl.php:    if ($use_ssl3)

/home/aim/www/xcart/4_6_3_gold/include/func/func.https_ssleay.php:function func_https_request_ssleay($method, $url, $data="", $join="&", $cookie="", $conttype="application/x-www-form-urlencoded", $referer="", $cert="", $kcert="", $headers="", $timeout = 0, $use_ssl3 = false)

/home/aim/www/xcart/4_6_3_gold/include/func/func.https_ssleay.php:    $execline .= " $ui[host] $ui[port] " . ($use_ssl3 ? '1' : '0') . ' ' . func_shellquote($cert) . ' ' . func_shellquote($kcert) . ' < ' . func_shellquote($tmpfile) . ' 2>' . func_shellquote($ignorefile);

aim-server[~/www/xcart_4_6_x]$

Re: POODLE vulnerability in SSLv3

Quote:

Originally Posted by zone1creative

Hi When you says 'Paypal Advanced' does this cover paypal express and not paypal standard.

Or is this for paypal login only?

This is PayPal Advanced payment method only.

Re: POODLE vulnerability in SSLv3

Quote:

Originally Posted by aim

Thank you - let me check.

Re: POODLE vulnerability in SSLv3

Quote:

Originally Posted by aim

I oened each of these through CPanel file manager and did a Find on use_ssl - could not find it in the code.

Does this mean we are safe? Thanks for your time.

Re: POODLE vulnerability in SSLv3

Quote:

Originally Posted by peakay

I oened each of these through CPanel file manager and did a Find on use_ssl - could not find it in the code.

Does this mean we are safe? Thanks for your time.

You are safe.

Re: POODLE vulnerability in SSLv3

Yesterday we disabled SSLv3 at X-Payments servers.

Re: POODLE vulnerability in SSLv3

Quote:

Originally Posted by aim

You are safe.

thank you sir!

Re: POODLE vulnerability in SSLv3

Help. X-Pay stopped working when SSL3 was disabled.

Xcart 4.5.5
Applied remove ssl3 patch

# curl -V
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

logged error:

[23-Nov-2014 00:06:19] PAYMENTS message:
Payment processing failure.
Login: xxxxxx@gmail.com
IP: xx.x.xx.xxx
----
Payment method: X-Payments: Authorize.Net AIM (X-Payments: Authorize.Net AIM)
bill_output = Array
(
[cvvmes] => not set /
[code] => 2
[billmes] => Internal error (Response is not valid.<br />Check logs.)
)
original_bill_output = Array
(
[cvvmes] => not set /
[code] => 2
[billmes] => Internal error (Response is not valid.<br />Check logs.)
)
Request URI: /payment/payment_cc.php
Backtrace:
/payment/payment_ccmid.php:459
/payment/payment_ccend.php:48
/payment/payment_cc.php:342