Security bulletin 2008-12-18
 

Dear X-Cart customers,

During internal audit activities we found several moderate security issues that make X-Cart potentially
vulnerable to attackers who wish to gain access to the application back-end.

The following security improvements have been included into this update:
- protection from unallowed access to back-end, using POST queries (formed in a special way) has been added.
- an extra protection level against SQL injections has been added.


SEVERITY:

Moderate


IMPACT

A malicious user can gain access to the application back-end.


AFFECTED VERSIONS

All X-Cart versions from 4.1.0 to 4.1.11


SOLUTION

We strongly recommend X-Cart users to install the security fix available in the HelpDesk 'File Area'. Installation instructions can be found in the README.txt file attached to the .tgz archive.

You can find the patch by the following path:
* For X-Cart 4.1.11 version:
X-Cart -> X-Cart 4.1.11 (current version) -> Updates and patches

* For X-Cart 4.1.0 - 4.1.10 versions:
X-Cart -> X-Cart supporting files for prev versions -> X-Cart 4.1 -> {Your X-Cart version} -> Updates and patches

If you are using X-Cart versions 4.1.0 - 4.1.10, before applying this security patch you *have to* apply all the previous security patches.
You can find all the previous security patches in the "File area" section of the Support HelpDesk.

Re: Security bulletin 2008-12-18
 

I posted on the helpdesk, but figured I'd post it out here too.

What impact does this security breach play with the older versions of X-Cart (4.0.x)? A number of our customers have been asking about the security of those older platforms.

Re: Security bulletin 2008-12-18
 

X-Cart Responded to my ticket to state that it ONLY affects the 4.1.x branch of the software and nothing changes with the 4.0.x branch. Good news for those that didn't upgrade!

I guess 4.2.x doesn't have this issue either ;)

Re: Security bulletin 2008-12-18
 

Hi,

I have received an email from Qualiteam suggesting I install a patch security-patch-2008-12-18_4.1.11.tgz

I have saved the patch and now I'd like to install it... but how?

When I clicked on the file I received a message as to which program do I wish to use to open a tgz file....

Could someone please steer me in the right direction as to what to do... I am using version 4.1.11

Many thanks and best regards
Vicki

Re: Security bulletin 2008-12-18
 

AFFECTED VERSIONS

All X-Cart versions from 4.1.0 to 4.1.11

Re: Security bulletin 2008-12-18
 

Hello again,

Sorry but I'm lost.

How do I open the tgz file, please.?

Do I have to load a program that reads tgz files?

Any info would be very much appreciated.

Thanks again,

kind regards
Vicki

Re: Security bulletin 2008-12-18
 

We use WinRAR to decompress tgz files. There is a 40 day free trial available for download here

Re: Security bulletin 2008-12-18
 

Hi and many thanks for the information.

I'll download that WinRAR and see how I go.

Appreciate your very kind help and Merry Christmas for next week.

Kind regards
Vicki

Re: Security bulletin 2008-12-18
 

Ene,
Could you please more clearify this vulnerability in detail ?
I mean how serious it is ? & if my admin area is protected by htaccess password then still it can affected ?

I am asking you bcoz I have not applied last security patch as I was facing this problem after the patch --> http://forum.x-cart.com/showthread.php?p=226043#post226043

Re: Security bulletin 2008-12-18
 

Very serious.



If your admin area is protected by htaccess password, it will solve 80%-90% of possible issues. However I strongly recommend to apply this patch anyway.