Security bulletin 2009-12-02
Dear X-Cart customers,
During internal security audit a critical security issue has been detected in X-Cart. The issue makes the software vulnerable to attackers who wish to gain access to the server file system. The solution is to remove an affected file. SEVERITY Critical IMPACT A malicious user can execute his own shell commands and, as a result, gain access to the server file system. AFFECTED VERSIONS X-Cart versions from 4.1.0 to 4.1.11. All X-Cart customers who are using these versions are encouraged to apply the fix described below. SOLUTION Delete the '<xcart_dir>/payment/cc_basia.php' file. This file refers to an outdated integration of 'Bank of Asia' payment gateway, so its deletion will not cause any problems and will not affect your stores. The '<xcart_dir>' text means the server directory in which your X-Cart is installed. You can delete this file using FTP, SSH or the hosting control panel file manager. NOTE: If you use a custom integration of 'Bank of Asia' payment gateway or '<xcart_dir>/payment/cc_basia.php' script, you should contact our support team for free help. If you have any questions or concerns, please, feel free to turn to the X-Cart support team via your Helpdesk. |
Re: Security bulletin 2009-12-02
Hi Everyone,
I closed News&Announcements from public access for reading. This information is accessible by X-Cart license owners only. |
Re: Security bulletin 2009-12-02
It appears the same cc_basia.php file exisits in 4.2 also. Is it affected also?
|
Re: Security bulletin 2009-12-02
Quote:
v4.2.0 doesn't have this file. Please check the distribution package. |
Re: Security bulletin 2009-12-02
My bad. I must have included it with the upgrade from 4.1.11. I deleted it anyway.
|
Re: Security bulletin 2009-12-02
Eugene,
Would it be wise to delete all cc_payment-gateway.php files that are not in use? There is no reason to have them if not used, AND it is RARE for a store to change payment gateways -- and if so, then a restore of the appropriate gateway is quite simple. What do you think? |
Re: Security bulletin 2009-12-02
Quote:
I think it is a good idea. But it is important to mention the following things: * please delete only the unnecessary 'cc_*.php/ch_*.php/ps_*.php' files. If you delete some other files, for example 'payment_cc.php', your payment gateway will not work * it is necessary to restore these files or alter the upgrade pack, if you decide to upgrade |
Re: Security bulletin 2009-12-02
We didn't get any email notice of this security problem. Did an email not go out? We always get the security notices. Usually we receive the same security email a couple of times actually. I'm glad I noticed this thread so we can update all of our hosted customer's accounts.
Thanks, Carrie |
Re: Security bulletin 2009-12-02
Quote:
The newsletter sending has been started. Since the script sends a fixed number of emails per hour it will take some time to send all the emails as we have many clients. |
Re: Security bulletin 2009-12-02
Quote:
Two Words: Mail Chimp |
All times are GMT -8. The time now is 04:15 AM. |
Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.