Security bulletin 4 Aug 2009
 

During internal audit activities we found a moderate security issue that makes X-Cart potentially
vulnerable to attackers who wish to gain access to the application back-end.

The following security improvement has been included into this update:
- protection from XSS attacks.

SEVERITY:
Moderate

IMPACT
Malicious users may inject an active content (for instance: JavaScript) into the application to fool users in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user.

AFFECTED VERSIONS
All X-Cart versions

SOLUTION
We strongly recommend you to apply the security fix to secure your store.

To apply this patch, follow the instructions below:

1) Download the security patch (the security-patch-2009-08-04_***.tgz archive file, e.g. security-patch-2009-08-04_4.2.2.tgz) from the "File area" section of your HelpDesk account.

You can find the patch by the following path:
* For X-Cart 4.2.2 version:
X-Cart -> X-Cart 4.2.2 (current version) -> Updates and patches

* For all the other versions:
X-Cart -> X-Cart supporting files for prev versions -> {Your X-Cart branch} -> {Your X-Cart version} -> Updates and patches

2) Decompress the archive file.
The following folders will be extracted:
/DIFF-xcart - contains DIFF files to patch customized X-Cart files
/xcart - contains the X-Cart files with fixed vulnerability.

Note:
DIFF file is a file containing the difference between two files. In our case the DIFF file contains changes made to the current file by comparing it to a former version of the same file.

There are 2 ways to install the patch:
a) place the fixed files over the current ones;
b) manual installation using DIFF files.

3) Back up the corresponding files in your X-Cart before patching the store.

4) If the files from the xcart directory are not modified in your X-Cart, you may use the first method of applying the patch. This
way the files from the patch will overwrite the same files in your X-Cart.
You should copy the files from the patch into your X-Cart installation via FTP or another tool that you
usually use to manage files on your web-server. The copied files will replace the original ones that contain
the vulnerability, thus it will be fixed.

NOTE: The patch will overwrite the files completely, i.e. they will become default. If you made any
changes or customizations to the files, make sure you re-implement the changes after the patch has been
applied, or just install the patch manually.

5) If the files have been modified, it is recommended to apply the patch manually using DIFF files. This way you
will keep your modifications intact. To learn about this installation method, please follow an article from
the Helpdesk FAQs at
https://secure.qtmsoft.com/customer.php?area=info&target=view_faq_question&su bject=1073741899

ATTN: In case you are running X-Cart 3.3.x and earlier, please contact our tech support directly. They will provide you with a free patch for your particular version.

If you face any problems during or after the installation, feel free to contact our support team for help.

Please note: all the issues fixed by the current patch have already been corrected in the newest X-Cart 4.3.0 version.

Re: Security bulletin 4 Aug 2009
 

Hi guys,

I closed News&Announcements for anonymous access for a while.
Un-registered visitors are not able to see this announcement.

Re: Security bulletin 4 Aug 2009
 

Eugene,

Since this patch only affects one file (at least for version 4.1.9):

/skin1/modules/Advanced_Statistics/advanced_stats.tpl

If Advanced Stats were disabled, was there ever a vulnerability?

I've had a few xcart users ask me this...

Thanks.

Jeremy

Re: Security bulletin 4 Aug 2009
 

The patch for all versions affects this file only.


No. If the Advanced Stats module is disabled and you don't use it, you are safe. However you may be in danger if you enable it later.

Re: Security bulletin 4 Aug 2009
 

I have spot checked a couple of versions and all are the same one file patch and all require advanced stats to be turned on to include the patched tpl so there is no vulnerability if advanced stats is turned off. OTOH, PCI-DSS requires applying vendor security patches within 30 days of release. This patch is so simple its not going to conflict with most any stores mods so just apply it and be done with it.

Re: Security bulletin 4 Aug 2009
 

Can you guys email these out? Maybe have us opt-in for security updates or marketing updates or something? Thanks.

Re: Security bulletin 4 Aug 2009
 

You can do that in your forum profile

Re: Security bulletin 4 Aug 2009
 

The email was sent to all our clients who subscribed for the 'Security alerts and advisory' newsletter.


(We sent it via Mailchimp. Thank you carpeperdiem, you were right and it is a great tool)

Re: Security bulletin 4 Aug 2009
 

Hi Ene

Where do i do this?



Thanks for the detailed description on how to apply the patch.
I have applied the patch to my site how do i check to make sure that all is well with my site?

Re: Security bulletin 4 Aug 2009
 

Please enter your HelpDesk area and go to the 'Manage accounts -> Edit self profile' page.


Have you meant checking if the store is functioning correctly or if the security issue is solved?