View Single Post
Old 10-17-2014, 05:58 AM
  ambal's Avatar 
ambal ambal is offline

X-Cart team
Join Date: Sep 2002
Posts: 4,115

Exclamation POODLE vulnerability in SSLv3

Hi Everyone,

This part is for those who does use X-Payments:

As you may already know right after OpenSSL Heartblead vulnerability a new one has been found in SSL protocol - POODLE.

The POODLE vulnerability is a weakness in version 3 of the SSL protocol that allows an attacker in a man-in-the-middle context to decipher the plain text content of an SSLv3 encrypted message.

You can read more about POODLE at

Please note - this is NOT a vulnerability in X-Payments or X-Payments connector modules for X-Cart. This is a vulnerability in ciphering software used by almost any server in the Internet to establish secure connections.

What needs to be done:

1) X-Cart 4 users - apply xc4_xp_no_force_ssl3.diff patch to your X-Cart that will disable forced use of SSLv3 and enable automatic selection of TLS or SSL so if your hosting provider disabled SSLv3 support for your X-Payments installation your X-Cart will be able to connect with X-Payments using TLS.

Or you can download our new connectors for X-Cart 4 at ve_web#list

They have been updated today to have the patch out of the box.

X-Cart 5 users - install the latest version of X-Payments connector available at the X-Cart 5 Marketplace.

2) make sure your server where you run X-Cart uses cURL v 7.18.1 or newer.
If you use X-Payments Enterprise/Downloadable license - check the same for your X-Payments server.

If your cURL is older - update it.
If you have no idea what is cURL - consult with your hosting admin.

And since I mentioned the OpenSSL Heartbleed - check your OpenSSL version - it should be at least 1.0.1g


If you do not use X-Payments - go straight at
Sincerely yours,
Alex Mulin
VP of Business Development for X-Cart
X-Payments product manager

Last edited by ambal : 10-30-2014 at 05:29 AM.
Reply With Quote