Re: POODLE vulnerability in SSLv3
 

Seldomseen, please make sure your server cURL supports TLS 1.0/1.1 as well (check with your hosting admin).

Re: POODLE vulnerability in SSLv3
 

Yes according to the host - even tested it.

So far here is what I have done:

Prior to X-Pay ssl disable:

1. installed: remove_ssl3-2014-10-30_4.5.5

After failure when it was disabled:

1. Verified with host cURL version. The also installed a perl module they though may have been a dependency.

2. Verified installation of patch per Post #98. I also reviewed the DIFF provided in that post, but the version of cc_authorizenet.php is different than mine.

3. Reviewed modules specified in Post #115 for "use_ssl" string. I think these were a part of the patch, so nothing found.

4. Verified with host that TLS is supported by cURL.

I am not sure what to do at this point.

Thanks for your help.

Re: POODLE vulnerability in SSLv3
 

My issue is now resolved. I somehow missed post #3 and needed to remove:

curl_setopt($ch, CURLOPT_SSLVERSION, 3);

from modules/XPayments_Connector/xpc_func.php.

Re: POODLE vulnerability in SSLv3
 

Yep, the X-Payments connector patch has been published at the very beginning of this thread that was created as about addressing the POODLE in X-Payments originally but after some time it became "whole X-Cart community the POODLE thread" and you could miss the point that for X-Payments you need to patch X-Payments connector at X-Cart side.

I am happy to know you figured out after all! Have a great Cyber Monday next week!

Re: POODLE vulnerability in SSLv3
 

I have this exact issue. But, with a twist. About 6 weeks ago I 'patched' this Xcart with a security patch downloaded from the files area. Therefore the .diff file you've recommended above won't work on our cart since it states 'could not patch' when trying to upload and install it.

No orders can get through right now so we're really searching for a solution here.

I did download the complete Xpayments package your link pointed to on Google Drive. But it's unclear if I should:

1) upload these files and write over the existing, or
2) remove the current Xpayments folder/files and treat this like a new install
3) save all the various settings in Xpayments configuration as a precaution, then upload all the new files to overwrite existing, run the installation program, and somehow it will know it's an 'update' and not a new installation.

Any help would be magnificent. Thank you in advance.

Re: POODLE vulnerability in SSLv3
 

You just need to patch the files manually - http://help.x-cart.com/ - search for patching files

Re: POODLE vulnerability in SSLv3
 

> I did download the complete Xpayments package your link pointed to on Google
> Drive. But it's unclear if

Please do not get confused. The package you are referring here is not X-Payments. It is X-Payments connector module for X-Cart 4.x that needs to be installed instead of your current X-Cart 4.x X-Payments connector in X-Cart.

Re: POODLE vulnerability in SSLv3
 

Looks like UPS turned off SSLv3 support and it broke fully-patched 4.0.19 and 4.1.12 stores, so a patch is needed for these versions after all.

• 4.1 - Use the 4.2 patches
• 4.0 - Manually patch the similarly named files found in /payment

Re: POODLE vulnerability in SSLv3
 

Yes finding the same today.

Re: POODLE vulnerability in SSLv3
 

Me too, had several client sited whose UPS shipping went down.