X-Cart: shopping cart software

X-Cart forums (https://forum.x-cart.com/index.php)
-   X-Payments issues & questions (https://forum.x-cart.com/forumdisplay.php?f=50)
-   -   POODLE vulnerability in SSLv3 (https://forum.x-cart.com/showthread.php?t=70268)

ambal 10-17-2014 07:27 AM

Re: POODLE vulnerability in SSLv3
 
> Will test out the new connector - when you say "It does support v1.0.6 but only for
> credit card processing.", what does it not support exactly?

Well, this is not a good thread to discuss that.

Everything we added in v2.x - PCI compliant credit card saving, recurring orders, PA-DSS 2.0, better API to work with shopping carts like X-Cart, etc. Just check our blog for X-Payments updates.

fwm 10-17-2014 08:21 AM

Re: POODLE vulnerability in SSLv3
 
Is there a patch needed for the Magento x-Payments connector?

-atm

QUOTE=ambal]Hi Everyone,

As you may already know right after OpenSSL Heartblead vulnerability a new one has been found in SSL protocol - POODLE.

The POODLE vulnerability is a weakness in version 3 of the SSL protocol that allows an attacker in a man-in-the-middle context to decipher the plain text content of an SSLv3 encrypted message.

You can read more about POODLE at
https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-poodle-sslv3-vulnerability

Please note - this is NOT a vulnerability in X-Payments or X-Payments connector modules for X-Cart. This is a vulnerability in ciphering software used by almost any server in the Internet to establish secure connections.

What needs to be done:

1) X-Cart 4 users - apply Attachment 3956 patch to your X-Cart that will disable forced use of SSLv3 and enable automatic selection of TLS or SSL so if your hosting provider disabled SSLv3 support for your X-Payments installation your X-Cart will be able to connect with X-Payments using TLS.

Or you can download our new connectors for X-Cart 4 at
https://drive.google.com/a/x-cart.com/folderview?id=0B6p7sehSZL8_akhxR0VwQ0dta2M&usp=dri ve_web#list

They have been updated today to have the patch out of the box.

X-Cart 5 users - install a new version of X-Payments connector as soon as we release it or remove this line of code:
PHP Code:

curl_setopt($chCURLOPT_SSLVERSION3); 

in file of X-Cart 5
classes/XLite/Module/CDev/XPaymentsConnector/Core/XPaymentsClient.php

UPD: X-Cart 5 patch - Attachment 3957

2) make sure your server where you run X-Cart uses cURL v 7.18.1 or newer.
If you use X-Payments Enterprise/Downloadable license - check the same for your X-Payments server.

If your cURL is older - update it.
If you have no idea what is cURL - consult with your hosting admin.

And since I mentioned the OpenSSL Heartbleed - check your OpenSSL version - it should be at least 1.0.1g[/quote]

ambal 10-17-2014 08:27 AM

Re: POODLE vulnerability in SSLv3
 
A very good blog post about the POODLE

https://blog.totalserversolutions.com/poodle-sslv3-vulnerability-breaks-browser-security/

tam10 10-17-2014 08:53 AM

Re: POODLE vulnerability in SSLv3
 
If i only use PayPal do i need the patch or it's not relevant to my cart?

random 10-17-2014 11:10 PM

Re: POODLE vulnerability in SSLv3
 
Quote:

Originally Posted by tam10
If i only use PayPal do i need the patch or it's not relevant to my cart?


If you are accepting PayPal payments through X-Payments then you definitely need this patch.

ADDISON 10-18-2014 03:29 AM

Re: POODLE vulnerability in SSLv3
 
If you are a sysadmin take a look to this article:

http://www.howtoforge.com/how-to-secure-your-ispconfig-3-server-against-the-poodle-ssl-attack

kevfromwiganinlancashire 10-18-2014 05:01 AM

Re: POODLE vulnerability in SSLv3
 
You can test here https://www.ssllabs.com/ssltest/

Kev

kevfromwiganinlancashire 10-18-2014 05:51 AM

Re: POODLE vulnerability in SSLv3
 
There is some good advice here too https://access.redhat.com/solutions/1232413

Happy to say I'm A- now (cert renewal will bring to A) :-)

cflsystems 10-18-2014 09:07 AM

Re: POODLE vulnerability in SSLv3
 
Careful with turning off SSL3 on server level as some 3rd party services and payment gateways may require SSL3. If this is disabled on server level you need to immediately test the site, all https pages and place test orders to make sure all work.

Thomasb134 10-18-2014 10:23 AM

Re: POODLE vulnerability in SSLv3
 
Quote:

You can test here https://www.ssllabs.com/ssltest/
Thanks for the link. I tried it on my server and it says "This server is not vulnerable to the POODLE attack because it doesn't support SSL 3." Looks like I dodged that bullet.


All times are GMT -8. The time now is 04:59 PM.

Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.