X-Cart: shopping cart software

X-Cart forums (https://forum.x-cart.com/index.php)
-   X-Payments issues & questions (https://forum.x-cart.com/forumdisplay.php?f=50)
-   -   POODLE vulnerability in SSLv3 (https://forum.x-cart.com/showthread.php?t=70268)

ambal 10-17-2014 05:58 AM

POODLE vulnerability in SSLv3
 
1 Attachment(s)
Hi Everyone,

This part is for those who does use X-Payments:

----------------
As you may already know right after OpenSSL Heartblead vulnerability a new one has been found in SSL protocol - POODLE.

The POODLE vulnerability is a weakness in version 3 of the SSL protocol that allows an attacker in a man-in-the-middle context to decipher the plain text content of an SSLv3 encrypted message.

You can read more about POODLE at
https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-poodle-sslv3-vulnerability

Please note - this is NOT a vulnerability in X-Payments or X-Payments connector modules for X-Cart. This is a vulnerability in ciphering software used by almost any server in the Internet to establish secure connections.

What needs to be done:

1) X-Cart 4 users - apply Attachment 3956 patch to your X-Cart that will disable forced use of SSLv3 and enable automatic selection of TLS or SSL so if your hosting provider disabled SSLv3 support for your X-Payments installation your X-Cart will be able to connect with X-Payments using TLS.

Or you can download our new connectors for X-Cart 4 at
https://drive.google.com/a/x-cart.com/folderview?id=0B6p7sehSZL8_akhxR0VwQ0dta2M&usp=dri ve_web#list

They have been updated today to have the patch out of the box.

X-Cart 5 users - install the latest version of X-Payments connector available at the X-Cart 5 Marketplace.

2) make sure your server where you run X-Cart uses cURL v 7.18.1 or newer.
If you use X-Payments Enterprise/Downloadable license - check the same for your X-Payments server.

If your cURL is older - update it.
If you have no idea what is cURL - consult with your hosting admin.

And since I mentioned the OpenSSL Heartbleed - check your OpenSSL version - it should be at least 1.0.1g

--------------------

If you do not use X-Payments - go straight at http://forum.x-cart.com/showpost.php?p=379153&postcount=57

cflsystems 10-17-2014 06:04 AM

Re: POODLE vulnerability in SSLv3
 
Where is the patch Alex?

ambal 10-17-2014 06:07 AM

Re: POODLE vulnerability in SSLv3
 
Quote:

Originally Posted by cflsystems
Where is the patch Alex?


In the original message, Steve.

cflsystems 10-17-2014 06:08 AM

Re: POODLE vulnerability in SSLv3
 
I guess you just changed the original message while I was typing :) It is different now

Thanks

ambal 10-17-2014 06:11 AM

Re: POODLE vulnerability in SSLv3
 
Quote:

Originally Posted by cflsystems
I guess you just changed the original message while I was typing :) It is different now

Thanks


Yep, I was typing this long message and forgot to attach the file, but I noticed that immediately after the post had been made and edited the message.

xcel 10-17-2014 06:47 AM

Re: POODLE vulnerability in SSLv3
 
Does this effect all XC users? If I'm not using X-Payments or X-Payments connector modules do I need to worry about this?

Mark N 10-17-2014 06:47 AM

Re: POODLE vulnerability in SSLv3
 
Can't seem to get this patch to apply - looks like the xpc_func.php I have is different - I haven't applied any customizations to this file but it doesn't appear to match what is in the diff - here is my version info of the file (running XC 4.6.3):

* @version 58ab7bdc89b3d4cd894ef7d853bcc6f0c4dcca6b, v101 (xcart_4_6_2), 2014-02-03 17:25:33, xpc_func.php, aim

I'm nervous about putting a new connector in place, have seen conflicting information about whether or not it supports X-Payments 1.0.6. Can you clarify Alex?

-Mark

ambal 10-17-2014 06:57 AM

Re: POODLE vulnerability in SSLv3
 
> Does this effect all XC users? If I'm not using X-Payments or X-Payments connector
> modules do I need to worry about this?

I would say the POODLE affects really everyone in the Internet. This is a bug in SSL v3 protocol. It is not X-Cart or X-Payments related only.

ambal 10-17-2014 07:06 AM

Re: POODLE vulnerability in SSLv3
 
Mark,

Quote:

Originally Posted by Mark N
Can't seem to get this patch to apply - looks like the xpc_func.php I have is different - I haven't applied any customizations to this file but it doesn't appear to match what is in the diff - here is my version info of the file (running XC 4.6.3):

* @version 58ab7bdc89b3d4cd894ef7d853bcc6f0c4dcca6b, v101 (xcart_4_6_2), 2014-02-03 17:25:33, xpc_func.php, aim



In order to make the change manually in file
modules/XPayments_Connector/xpc_func.php

find a line of code
curl_setopt($ch, CURLOPT_SSLVERSION, 3);

and remove it.

If you see near the above line of code this:
curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'DEFAULT');
remove this, too.

Quote:

Originally Posted by Mark N
I'm nervous about putting a new connector in place, have seen conflicting information about whether or not it supports X-Payments 1.0.6. Can you clarify Alex?


It does support v1.0.6 but only for credit card processing. Anyways, we always recommend to test new modules before letting them go live. E.g. on a test server.

Mark N 10-17-2014 07:19 AM

Re: POODLE vulnerability in SSLv3
 
Thanks for the quick response - made the changes suggested and tested after disabling SSLv3, all looks good now. Will test out the new connector - when you say "It does support v1.0.6 but only for credit card processing.", what does it not support exactly?

ambal 10-17-2014 07:27 AM

Re: POODLE vulnerability in SSLv3
 
> Will test out the new connector - when you say "It does support v1.0.6 but only for
> credit card processing.", what does it not support exactly?

Well, this is not a good thread to discuss that.

Everything we added in v2.x - PCI compliant credit card saving, recurring orders, PA-DSS 2.0, better API to work with shopping carts like X-Cart, etc. Just check our blog for X-Payments updates.

fwm 10-17-2014 08:21 AM

Re: POODLE vulnerability in SSLv3
 
Is there a patch needed for the Magento x-Payments connector?

-atm

QUOTE=ambal]Hi Everyone,

As you may already know right after OpenSSL Heartblead vulnerability a new one has been found in SSL protocol - POODLE.

The POODLE vulnerability is a weakness in version 3 of the SSL protocol that allows an attacker in a man-in-the-middle context to decipher the plain text content of an SSLv3 encrypted message.

You can read more about POODLE at
https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-poodle-sslv3-vulnerability

Please note - this is NOT a vulnerability in X-Payments or X-Payments connector modules for X-Cart. This is a vulnerability in ciphering software used by almost any server in the Internet to establish secure connections.

What needs to be done:

1) X-Cart 4 users - apply Attachment 3956 patch to your X-Cart that will disable forced use of SSLv3 and enable automatic selection of TLS or SSL so if your hosting provider disabled SSLv3 support for your X-Payments installation your X-Cart will be able to connect with X-Payments using TLS.

Or you can download our new connectors for X-Cart 4 at
https://drive.google.com/a/x-cart.com/folderview?id=0B6p7sehSZL8_akhxR0VwQ0dta2M&usp=dri ve_web#list

They have been updated today to have the patch out of the box.

X-Cart 5 users - install a new version of X-Payments connector as soon as we release it or remove this line of code:
PHP Code:

curl_setopt($chCURLOPT_SSLVERSION3); 

in file of X-Cart 5
classes/XLite/Module/CDev/XPaymentsConnector/Core/XPaymentsClient.php

UPD: X-Cart 5 patch - Attachment 3957

2) make sure your server where you run X-Cart uses cURL v 7.18.1 or newer.
If you use X-Payments Enterprise/Downloadable license - check the same for your X-Payments server.

If your cURL is older - update it.
If you have no idea what is cURL - consult with your hosting admin.

And since I mentioned the OpenSSL Heartbleed - check your OpenSSL version - it should be at least 1.0.1g[/quote]

ambal 10-17-2014 08:27 AM

Re: POODLE vulnerability in SSLv3
 
A very good blog post about the POODLE

https://blog.totalserversolutions.com/poodle-sslv3-vulnerability-breaks-browser-security/

tam10 10-17-2014 08:53 AM

Re: POODLE vulnerability in SSLv3
 
If i only use PayPal do i need the patch or it's not relevant to my cart?

random 10-17-2014 11:10 PM

Re: POODLE vulnerability in SSLv3
 
Quote:

Originally Posted by tam10
If i only use PayPal do i need the patch or it's not relevant to my cart?


If you are accepting PayPal payments through X-Payments then you definitely need this patch.

ADDISON 10-18-2014 03:29 AM

Re: POODLE vulnerability in SSLv3
 
If you are a sysadmin take a look to this article:

http://www.howtoforge.com/how-to-secure-your-ispconfig-3-server-against-the-poodle-ssl-attack

kevfromwiganinlancashire 10-18-2014 05:01 AM

Re: POODLE vulnerability in SSLv3
 
You can test here https://www.ssllabs.com/ssltest/

Kev

kevfromwiganinlancashire 10-18-2014 05:51 AM

Re: POODLE vulnerability in SSLv3
 
There is some good advice here too https://access.redhat.com/solutions/1232413

Happy to say I'm A- now (cert renewal will bring to A) :-)

cflsystems 10-18-2014 09:07 AM

Re: POODLE vulnerability in SSLv3
 
Careful with turning off SSL3 on server level as some 3rd party services and payment gateways may require SSL3. If this is disabled on server level you need to immediately test the site, all https pages and place test orders to make sure all work.

Thomasb134 10-18-2014 10:23 AM

Re: POODLE vulnerability in SSLv3
 
Quote:

You can test here https://www.ssllabs.com/ssltest/
Thanks for the link. I tried it on my server and it says "This server is not vulnerable to the POODLE attack because it doesn't support SSL 3." Looks like I dodged that bullet.

cflsystems 10-18-2014 11:57 AM

Re: POODLE vulnerability in SSLv3
 
XC uses SSL 3 in these files as well

func.https_X.php

where X is libcurl, curl, openssl, ssleay

It is OFF by default but other code in XC may set it to true when used. Solution will be to find the line in the file that sets the option for SSL3 and comment it out for example in

func.https_libcurl.php there is this

PHP Code:

if ($use_ssl3)
        
curl_setopt ($chCURLOPT_SSLVERSION3); 


so just comment it out

PHP Code:

//   if ($use_ssl3)
       // curl_setopt ($ch, CURLOPT_SSLVERSION, 3); 


This is untested so make sure you do some test orders if changing it

QT can we get clarification on this and a patch for XC if possible

shwekhaw 10-19-2014 07:53 AM

Re: POODLE vulnerability in SSLv3
 
We edited conf file to exclude SSLv3 from SSLProtocol. We did online test and it passes. Do we still need to patch X-payment connector files?

ambal 10-19-2014 11:15 PM

Re: POODLE vulnerability in SSLv3
 
Quote:

Originally Posted by shwekhaw
We edited conf file to exclude SSLv3 from SSLProtocol. We did online test and it passes. Do we still need to patch X-payment connector files?


Yes, if you use X-Payments. This thread was originally created about dealing with the POODLE in X-Payments.

xim 10-20-2014 12:11 AM

Re: POODLE vulnerability in SSLv3
 
Quote:

Originally Posted by cflsystems
XC uses SSL 3 in these files as well

func.https_X.php

where X is libcurl, curl, openssl, ssleay

It is OFF by default but other code in XC may set it to true when used. Solution will be to find the line in the file that sets the option for SSL3 and comment it out for example in

func.https_libcurl.php there is this

PHP Code:

if ($use_ssl3)
        
curl_setopt ($chCURLOPT_SSLVERSION3); 


so just comment it out

PHP Code:

//   if ($use_ssl3)
       // curl_setopt ($ch, CURLOPT_SSLVERSION, 3); 


This is untested so make sure you do some test orders if changing it

QT can we get clarification on this and a patch for XC if possible


This is the correct patch.

Our team is working on the 4.6.5 release planned to this week. This version will have the necessary corrections to do not use SSLv3

ambal 10-20-2014 03:05 AM

Re: POODLE vulnerability in SSLv3
 
Re: Magento users of X-Payments

Nothing needed to be patched in the connector module as our Magento connector for X-Payments relies on using built-in Magento HTTPS module. So I advise to check with Magento regarding whether or not Magento needs to be patched.

mcanitano 10-20-2014 10:11 AM

Re: POODLE vulnerability in SSLv3
 
We are having an issue with this on XC 4.5.5.

We installed the newest X-Payments Connector, and received the following errors in: x-errors_xpay_connector-xxxxxx.php

Code:

[20-Oct-2014 13:29:34] xpay_connector message:
    X-Payments error (code: 1514): The merchantEmail field is missing or incorrect
Request URI: /payment/payment_cc.php
Backtrace:
/.../modules/XPayments_Connector/xpc_func.php:2257
/.../modules/XPayments_Connector/xpc_func.php:2223
/.../modules/XPayments_Connector/xpc_func.php:1948
/.../modules/XPayments_Connector/xpc_func.php:1941
/.../modules/XPayments_Connector/xpc_func.php:417
/.../payment/cc_xpc.php:574
/.../payment/payment_cc.php:347

-------------------------------------------------
[20-Oct-2014 13:29:34] xpay_connector message:
    Internal error.
Request URI: /payment/payment_cc.php
Backtrace:
/.../modules/XPayments_Connector/xpc_func.php:2257
/.../modules/XPayments_Connector/xpc_func.php:1997
/.../modules/XPayments_Connector/xpc_func.php:1950
/.../modules/XPayments_Connector/xpc_func.php:1941
/.../modules/XPayments_Connector/xpc_func.php:417
/.../payment/cc_xpc.php:574
/.../payment/payment_cc.php:347

-------------------------------------------------


Then in x-errors_payments-xxxxxx.php:

Code:

[20-Oct-2014 13:29:34] PAYMENTS message:
    Payment processing failure.
    Login: [PRIVATE]
    IP: [PRIVATE]
    ----
    Payment method: Credit Card (X-Payments: Authorize.Net AIM)
    bill_output = Array
    (
        [cvvmes] => not set /
        {code} => 2
        [billmes] => Internal error (I)
    )
    original_bill_output = Array
    (
        [cvvmes] => not set /
        {code} => 2
        [billmes] => Internal error (I)
    )
Request URI: /payment/payment_cc.php
Backtrace:
/.../payment/payment_ccmid.php:459
/.../payment/payment_ccend.php:48
/.../payment/payment_cc.php:349

-------------------------------------------------


EDIT: We successfully reverted to old setup, but would still like to know how to fix the above errors.

hdpixel 10-20-2014 01:32 PM

Re: POODLE vulnerability in SSLv3
 
I fixed two stores using this fix. Thank you so much.

X-cart 4.54 and 4.52 with x-payment 1.06.

Dougrun 10-21-2014 08:01 AM

Re: POODLE vulnerability in SSLv3
 
for those not using xpayments, im on 4.6.4, i added

SSLProtocol all -SSLv2 -SSLv3

to my pre-virtual host include file on apache,
pre_virtualhost_global.conf

passed the test, This is a CENTOS 6.4 x86_64 standard godaddy dedicated server.

tam10 10-21-2014 08:12 AM

Re: POODLE vulnerability in SSLv3
 
I past the test
"This server is not vulnerable to the POODLE attack because it doesn't support SSL 3"

Does it mean i do not need to do anything?

I did fall this (what is it?)

IE 6 / XP No FS 1 No SNI 2 Protocol or cipher suite mismatch

Chris B 10-21-2014 09:27 PM

Re: POODLE vulnerability in SSLv3
 
We are having trouble with an x-cart installation using Version 4.5.5 with X-PAYMENTS v.1.0.2.

After turning off SSL3 on the server we no longer had the ability to enter credit card information within the checkout process.

We therefore patched our x-cart installation manually by:


1.) removing the line of code

curl_setopt($ch, CURLOPT_SSLVERSION, 3);

from

modules/XPayments_Connector/xpc_func.php


We did not see the following line within our version of x-cart:

curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'DEFAULT');

So this step was bypassed.


2.) We then tested with no luck.

3.) We then Removed

if ($use_ssl3)
curl_setopt ($ch, CURLOPT_SSLVERSION, 3);


from the func.https_X.php file and tested again. Still no luck

4.) We then installed the newest X-Payments Connector, and white screened the entire cart.

Any suggestions?

DanUK 10-22-2014 01:04 AM

Re: POODLE vulnerability in SSLv3
 
OK, our hosts says they turned off SSLv3 on our server and the https://www.ssllabs.com/ssltest/ says we are not vulnerable to it.

Luckily we are still taking orders, no one has complained about inaccessible https pages over the past few days and https *appears* to be working ok. The only exception is one machine running Internet Explorer 11 where https pages give a 'page cannnot be displayed' and asks the user to change the settings to allow TLS etc This has got me a little worried although the same version IE on the other machines in the office are OK. I thought it was only earlier versions of IE that are affected?

Also, if it is disabled on the server do I also need to run the patch for my stores if everything is working ok?

Thanks

cherie 10-25-2014 10:45 AM

Re: POODLE vulnerability in SSLv3
 
This is a bigger issue with X-Cart than just X-Payments though another thread was told to look here. For example, 4.3.2 and Authorize.net AIM now fails since Authorize.net turned off SSLv3 support. cflsystems' recommendation to disable SSLv3 is the generic fix but I'm surprised there hasn't been an official patch for some older versions of X-Cart, at least 4.3 and 4.4, and this thread should be moved to an appropriate area.

EDIT: The example of 4.3.2 and Authorize.net is incorrect. This setup appears to still be working fine.

Chris B 10-25-2014 01:58 PM

Re: POODLE vulnerability in SSLv3
 
Obviously, after turning off SSL3 on the server we no longer had the ability to enter credit card information within the checkout process.

We then patched our x-cart Version 4.5.5 using X-PAYMENTS v.1.0.2 manually by:

1.) removing the line of code

curl_setopt($ch, CURLOPT_SSLVERSION, 3);

from

modules/XPayments_Connector/xpc_func.php

We did not see the following line within our version of x-cart:

curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'DEFAULT');

So this step was bypassed.


2.) We then Removed

if ($use_ssl3)
curl_setopt ($ch, CURLOPT_SSLVERSION, 3);

from

func.https_X.php file

3.) As per x-cart tech support, we then made sure our servers were running cURL v 7.18.1 or newer.


That was all we did and everything is working fine once again.


I hope this helps someone else.

tam10 10-26-2014 06:40 AM

Re: POODLE vulnerability in SSLv3
 
The hosts ​
​ disabled use of the SSLv3 protocol on hosting servers.​


​I do not use x-payment only the standard PayPal,
But on IE 11 can't place order (no https)
How do i fix it?

Thank you.


ambal 10-27-2014 11:14 PM

Re: POODLE vulnerability in SSLv3
 
Chris,

> ... using X-PAYMENTS v.1.0.2

Not sure if you know it but it is a very old X-Payments v1.x version and you should upgrade to 1.0.6 or 2.1.1

manningbrothers 10-28-2014 08:45 AM

Re: POODLE vulnerability in SSLv3
 
Quote:

Originally Posted by cherie
This is a bigger issue with X-Cart than just X-Payments though another thread was told to look here. For example, 4.3.2 and Authorize.net AIM now fails since Authorize.net turned off SSLv3 support. cflsystems' recommendation to disable SSLv3 is the generic fix but I'm surprised there hasn't been an official patch for some older versions of X-Cart, at least 4.3 and 4.4, and this thread should be moved to an appropriate area.

EDIT: The example of 4.3.2 and Authorize.net is incorrect. This setup appears to still be working fine.

I just got an email from Authorize.net stating that "on November 4, 2014, we will be disabling the use of SSLv3 within our systems. This means that if your website or shopping cart solution uses SSLv3 to send transactions to Authorize.Net, you will no longer be able to process transactions." We are using them on XC 4.3.2 and 4.4.2.. That explains why auth.net is still functioning for the moment, but what should we do before 11/4? Any help would be greatly appreciated.

moonslice 10-28-2014 04:50 PM

Re: POODLE vulnerability in SSLv3
 
What about using x-cart 4.4.5 without x-payments - just a direct use of AuthorizeNet AIM under payment gateways? It looks like the second option only applies to x-payments - but will the patch in #1 work even without x-payments?

Quote:

What needs to be done:

1) X-Cart 4 users - apply Attachment 3956 patch to your X-Cart that will disable forced use of SSLv3 and enable automatic selection of TLS or SSL so if your hosting provider disabled SSLv3 support for your X-Payments installation your X-Cart will be able to connect with X-Payments using TLS.

Or you can download our new connectors for X-Cart 4 at
https://drive.google.com/a/x-cart.com/folderview?id=0B6p7sehSZL8_akhxR0VwQ0dta2M&usp=dri ve_web#list

cflsystems 10-28-2014 05:43 PM

Re: POODLE vulnerability in SSLv3
 
See post #21 above, I think but not sure if you get all of these that should be enough

moonslice 10-28-2014 06:00 PM

Re: POODLE vulnerability in SSLv3
 
Thanks so much for your help.

So I should do the things in post #21 and also install the patch in post #1?

I downloaded the patch listed in post #1 - xc4_xp_no_force_ssl3.diff, and then uploaded it to my shop root directory, but when I go to patch/upgrade in 4.4.5, it doesn't show up as available for patching.

cflsystems 10-28-2014 06:10 PM

Re: POODLE vulnerability in SSLv3
 
The diff file will not show on that page, use the section for applying patches o that same page and specify the file


All times are GMT -8. The time now is 06:20 PM.

Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.