|
POODLE vulnerability in SSLv3
1 Attachment(s)
Hi Everyone,
This part is for those who does use X-Payments: ---------------- As you may already know right after OpenSSL Heartblead vulnerability a new one has been found in SSL protocol - POODLE. The POODLE vulnerability is a weakness in version 3 of the SSL protocol that allows an attacker in a man-in-the-middle context to decipher the plain text content of an SSLv3 encrypted message. You can read more about POODLE at https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-poodle-sslv3-vulnerability Please note - this is NOT a vulnerability in X-Payments or X-Payments connector modules for X-Cart. This is a vulnerability in ciphering software used by almost any server in the Internet to establish secure connections. What needs to be done: 1) X-Cart 4 users - apply Attachment 3956 patch to your X-Cart that will disable forced use of SSLv3 and enable automatic selection of TLS or SSL so if your hosting provider disabled SSLv3 support for your X-Payments installation your X-Cart will be able to connect with X-Payments using TLS. Or you can download our new connectors for X-Cart 4 at https://drive.google.com/a/x-cart.com/folderview?id=0B6p7sehSZL8_akhxR0VwQ0dta2M&usp=dri ve_web#list They have been updated today to have the patch out of the box. X-Cart 5 users - install the latest version of X-Payments connector available at the X-Cart 5 Marketplace. 2) make sure your server where you run X-Cart uses cURL v 7.18.1 or newer. If you use X-Payments Enterprise/Downloadable license - check the same for your X-Payments server. If your cURL is older - update it. If you have no idea what is cURL - consult with your hosting admin. And since I mentioned the OpenSSL Heartbleed - check your OpenSSL version - it should be at least 1.0.1g -------------------- If you do not use X-Payments - go straight at http://forum.x-cart.com/showpost.php?p=379153&postcount=57 |
Re: POODLE vulnerability in SSLv3
Where is the patch Alex?
|
Re: POODLE vulnerability in SSLv3
Quote:
In the original message, Steve. |
Re: POODLE vulnerability in SSLv3
I guess you just changed the original message while I was typing :) It is different now
Thanks |
Re: POODLE vulnerability in SSLv3
Quote:
Yep, I was typing this long message and forgot to attach the file, but I noticed that immediately after the post had been made and edited the message. |
Re: POODLE vulnerability in SSLv3
Does this effect all XC users? If I'm not using X-Payments or X-Payments connector modules do I need to worry about this?
|
Re: POODLE vulnerability in SSLv3
Can't seem to get this patch to apply - looks like the xpc_func.php I have is different - I haven't applied any customizations to this file but it doesn't appear to match what is in the diff - here is my version info of the file (running XC 4.6.3):
* @version 58ab7bdc89b3d4cd894ef7d853bcc6f0c4dcca6b, v101 (xcart_4_6_2), 2014-02-03 17:25:33, xpc_func.php, aim I'm nervous about putting a new connector in place, have seen conflicting information about whether or not it supports X-Payments 1.0.6. Can you clarify Alex? -Mark |
Re: POODLE vulnerability in SSLv3
> Does this effect all XC users? If I'm not using X-Payments or X-Payments connector
> modules do I need to worry about this? I would say the POODLE affects really everyone in the Internet. This is a bug in SSL v3 protocol. It is not X-Cart or X-Payments related only. |
Re: POODLE vulnerability in SSLv3
Mark,
Quote:
In order to make the change manually in file modules/XPayments_Connector/xpc_func.php find a line of code curl_setopt($ch, CURLOPT_SSLVERSION, 3); and remove it. If you see near the above line of code this: curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'DEFAULT'); remove this, too. Quote:
It does support v1.0.6 but only for credit card processing. Anyways, we always recommend to test new modules before letting them go live. E.g. on a test server. |
Re: POODLE vulnerability in SSLv3
Thanks for the quick response - made the changes suggested and tested after disabling SSLv3, all looks good now. Will test out the new connector - when you say "It does support v1.0.6 but only for credit card processing.", what does it not support exactly?
|
Re: POODLE vulnerability in SSLv3
> Will test out the new connector - when you say "It does support v1.0.6 but only for
> credit card processing.", what does it not support exactly? Well, this is not a good thread to discuss that. Everything we added in v2.x - PCI compliant credit card saving, recurring orders, PA-DSS 2.0, better API to work with shopping carts like X-Cart, etc. Just check our blog for X-Payments updates. |
Re: POODLE vulnerability in SSLv3
Is there a patch needed for the Magento x-Payments connector?
-atm QUOTE=ambal]Hi Everyone, As you may already know right after OpenSSL Heartblead vulnerability a new one has been found in SSL protocol - POODLE. The POODLE vulnerability is a weakness in version 3 of the SSL protocol that allows an attacker in a man-in-the-middle context to decipher the plain text content of an SSLv3 encrypted message. You can read more about POODLE at https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-poodle-sslv3-vulnerability Please note - this is NOT a vulnerability in X-Payments or X-Payments connector modules for X-Cart. This is a vulnerability in ciphering software used by almost any server in the Internet to establish secure connections. What needs to be done: 1) X-Cart 4 users - apply Attachment 3956 patch to your X-Cart that will disable forced use of SSLv3 and enable automatic selection of TLS or SSL so if your hosting provider disabled SSLv3 support for your X-Payments installation your X-Cart will be able to connect with X-Payments using TLS. Or you can download our new connectors for X-Cart 4 at https://drive.google.com/a/x-cart.com/folderview?id=0B6p7sehSZL8_akhxR0VwQ0dta2M&usp=dri ve_web#list They have been updated today to have the patch out of the box. X-Cart 5 users - install a new version of X-Payments connector as soon as we release it or remove this line of code: PHP Code:
classes/XLite/Module/CDev/XPaymentsConnector/Core/XPaymentsClient.php UPD: X-Cart 5 patch - Attachment 3957 2) make sure your server where you run X-Cart uses cURL v 7.18.1 or newer. If you use X-Payments Enterprise/Downloadable license - check the same for your X-Payments server. If your cURL is older - update it. If you have no idea what is cURL - consult with your hosting admin. And since I mentioned the OpenSSL Heartbleed - check your OpenSSL version - it should be at least 1.0.1g[/quote] |
Re: POODLE vulnerability in SSLv3
A very good blog post about the POODLE
https://blog.totalserversolutions.com/poodle-sslv3-vulnerability-breaks-browser-security/ |
Re: POODLE vulnerability in SSLv3
If i only use PayPal do i need the patch or it's not relevant to my cart?
|
Re: POODLE vulnerability in SSLv3
Quote:
If you are accepting PayPal payments through X-Payments then you definitely need this patch. |
Re: POODLE vulnerability in SSLv3
If you are a sysadmin take a look to this article:
http://www.howtoforge.com/how-to-secure-your-ispconfig-3-server-against-the-poodle-ssl-attack |
Re: POODLE vulnerability in SSLv3
|
Re: POODLE vulnerability in SSLv3
There is some good advice here too https://access.redhat.com/solutions/1232413
Happy to say I'm A- now (cert renewal will bring to A) :-) |
Re: POODLE vulnerability in SSLv3
Careful with turning off SSL3 on server level as some 3rd party services and payment gateways may require SSL3. If this is disabled on server level you need to immediately test the site, all https pages and place test orders to make sure all work.
|
Re: POODLE vulnerability in SSLv3
Quote:
|
Re: POODLE vulnerability in SSLv3
XC uses SSL 3 in these files as well
func.https_X.php where X is libcurl, curl, openssl, ssleay It is OFF by default but other code in XC may set it to true when used. Solution will be to find the line in the file that sets the option for SSL3 and comment it out for example in func.https_libcurl.php there is this PHP Code:
so just comment it out PHP Code:
This is untested so make sure you do some test orders if changing it QT can we get clarification on this and a patch for XC if possible |
Re: POODLE vulnerability in SSLv3
We edited conf file to exclude SSLv3 from SSLProtocol. We did online test and it passes. Do we still need to patch X-payment connector files?
|
Re: POODLE vulnerability in SSLv3
Quote:
Yes, if you use X-Payments. This thread was originally created about dealing with the POODLE in X-Payments. |
Re: POODLE vulnerability in SSLv3
Quote:
This is the correct patch. Our team is working on the 4.6.5 release planned to this week. This version will have the necessary corrections to do not use SSLv3 |
Re: POODLE vulnerability in SSLv3
Re: Magento users of X-Payments
Nothing needed to be patched in the connector module as our Magento connector for X-Payments relies on using built-in Magento HTTPS module. So I advise to check with Magento regarding whether or not Magento needs to be patched. |
Re: POODLE vulnerability in SSLv3
We are having an issue with this on XC 4.5.5.
We installed the newest X-Payments Connector, and received the following errors in: x-errors_xpay_connector-xxxxxx.php Code:
[20-Oct-2014 13:29:34] xpay_connector message:Then in x-errors_payments-xxxxxx.php: Code:
[20-Oct-2014 13:29:34] PAYMENTS message:EDIT: We successfully reverted to old setup, but would still like to know how to fix the above errors. |
Re: POODLE vulnerability in SSLv3
I fixed two stores using this fix. Thank you so much.
X-cart 4.54 and 4.52 with x-payment 1.06. |
Re: POODLE vulnerability in SSLv3
for those not using xpayments, im on 4.6.4, i added
SSLProtocol all -SSLv2 -SSLv3 to my pre-virtual host include file on apache, pre_virtualhost_global.conf passed the test, This is a CENTOS 6.4 x86_64 standard godaddy dedicated server. |
Re: POODLE vulnerability in SSLv3
I past the test
"This server is not vulnerable to the POODLE attack because it doesn't support SSL 3" Does it mean i do not need to do anything? I did fall this (what is it?) IE 6 / XP No FS 1 No SNI 2 Protocol or cipher suite mismatch |
Re: POODLE vulnerability in SSLv3
We are having trouble with an x-cart installation using Version 4.5.5 with X-PAYMENTS v.1.0.2.
After turning off SSL3 on the server we no longer had the ability to enter credit card information within the checkout process. We therefore patched our x-cart installation manually by: 1.) removing the line of code curl_setopt($ch, CURLOPT_SSLVERSION, 3); from modules/XPayments_Connector/xpc_func.php We did not see the following line within our version of x-cart: curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'DEFAULT'); So this step was bypassed. 2.) We then tested with no luck. 3.) We then Removed if ($use_ssl3) curl_setopt ($ch, CURLOPT_SSLVERSION, 3); from the func.https_X.php file and tested again. Still no luck 4.) We then installed the newest X-Payments Connector, and white screened the entire cart. Any suggestions? |
Re: POODLE vulnerability in SSLv3
OK, our hosts says they turned off SSLv3 on our server and the https://www.ssllabs.com/ssltest/ says we are not vulnerable to it.
Luckily we are still taking orders, no one has complained about inaccessible https pages over the past few days and https *appears* to be working ok. The only exception is one machine running Internet Explorer 11 where https pages give a 'page cannnot be displayed' and asks the user to change the settings to allow TLS etc This has got me a little worried although the same version IE on the other machines in the office are OK. I thought it was only earlier versions of IE that are affected? Also, if it is disabled on the server do I also need to run the patch for my stores if everything is working ok? Thanks |
Re: POODLE vulnerability in SSLv3
This is a bigger issue with X-Cart than just X-Payments though another thread was told to look here. For example, 4.3.2 and Authorize.net AIM now fails since Authorize.net turned off SSLv3 support. cflsystems' recommendation to disable SSLv3 is the generic fix but I'm surprised there hasn't been an official patch for some older versions of X-Cart, at least 4.3 and 4.4, and this thread should be moved to an appropriate area.
EDIT: The example of 4.3.2 and Authorize.net is incorrect. This setup appears to still be working fine. |
Re: POODLE vulnerability in SSLv3
Obviously, after turning off SSL3 on the server we no longer had the ability to enter credit card information within the checkout process.
We then patched our x-cart Version 4.5.5 using X-PAYMENTS v.1.0.2 manually by: 1.) removing the line of code curl_setopt($ch, CURLOPT_SSLVERSION, 3); from modules/XPayments_Connector/xpc_func.php We did not see the following line within our version of x-cart: curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'DEFAULT'); So this step was bypassed. 2.) We then Removed if ($use_ssl3) curl_setopt ($ch, CURLOPT_SSLVERSION, 3); from func.https_X.php file 3.) As per x-cart tech support, we then made sure our servers were running cURL v 7.18.1 or newer. That was all we did and everything is working fine once again. I hope this helps someone else. |
Re: POODLE vulnerability in SSLv3
The hosts
disabled use of the SSLv3 protocol on hosting servers. I do not use x-payment only the standard PayPal, But on IE 11 can't place order (no https) How do i fix it? Thank you. |
Re: POODLE vulnerability in SSLv3
Chris,
> ... using X-PAYMENTS v.1.0.2 Not sure if you know it but it is a very old X-Payments v1.x version and you should upgrade to 1.0.6 or 2.1.1 |
Re: POODLE vulnerability in SSLv3
Quote:
|
Re: POODLE vulnerability in SSLv3
What about using x-cart 4.4.5 without x-payments - just a direct use of AuthorizeNet AIM under payment gateways? It looks like the second option only applies to x-payments - but will the patch in #1 work even without x-payments?
Quote:
|
Re: POODLE vulnerability in SSLv3
See post #21 above, I think but not sure if you get all of these that should be enough
|
Re: POODLE vulnerability in SSLv3
Thanks so much for your help.
So I should do the things in post #21 and also install the patch in post #1? I downloaded the patch listed in post #1 - xc4_xp_no_force_ssl3.diff, and then uploaded it to my shop root directory, but when I go to patch/upgrade in 4.4.5, it doesn't show up as available for patching. |
Re: POODLE vulnerability in SSLv3
The diff file will not show on that page, use the section for applying patches o that same page and specify the file
|
| All times are GMT -8. The time now is 05:01 PM. |
Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.