During internal audit activities we found a moderate security issue that makes X-Cart potentially
vulnerable to attackers who wish to gain access to the application back-end.
The following security improvement has been included into this update:
- protection from XSS attacks.
SEVERITY:
Moderate
IMPACT
Malicious users may inject an active content (for instance: JavaScript) into the application to fool users in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user.
AFFECTED VERSIONS
All X-Cart versions
SOLUTION
We strongly recommend you to apply the security fix to secure your store.
To apply this patch, follow the instructions below:
1) Download the security patch (the security-patch-2009-08-04_***.tgz archive file, e.g. security-patch-2009-08-04_4.2.2.tgz) from the "File area" section of your HelpDesk account.
You can find the patch by the following path:
* For X-Cart 4.2.2 version:
X-Cart -> X-Cart 4.2.2 (current version) -> Updates and patches
* For all the other versions:
X-Cart -> X-Cart supporting files for prev versions -> {Your X-Cart branch} -> {Your X-Cart version} -> Updates and patches
2) Decompress the archive file.
The following folders will be extracted:
/DIFF-xcart - contains DIFF files to patch customized X-Cart files
/xcart - contains the X-Cart files with fixed vulnerability.
Note:
DIFF file is a file containing the difference between two files. In our case the DIFF file contains changes made to the current file by comparing it to a former version of the same file.
There are 2 ways to install the patch:
a) place the fixed files over the current ones;
b) manual installation using DIFF files.
3) Back up the corresponding files in your X-Cart before patching the store.
4) If the files from the xcart directory are not modified in your X-Cart, you may use the first method of applying the patch. This
way the files from the patch will overwrite the same files in your X-Cart.
You should copy the files from the patch into your X-Cart installation via FTP or another tool that you
usually use to manage files on your web-server. The copied files will replace the original ones that contain
the vulnerability, thus it will be fixed.
NOTE: The patch will overwrite the files completely, i.e. they will become default. If you made any
changes or customizations to the files, make sure you re-implement the changes after the patch has been
applied, or just install the patch manually.
5) If the files have been modified, it is recommended to apply the patch manually using DIFF files. This way you
will keep your modifications intact. To learn about this installation method, please follow an article from
the Helpdesk FAQs at
https://secure.qtmsoft.com/customer.php?area=info&target=view_faq_question&su bject=1073741899
ATTN: In case you are running X-Cart 3.3.x and earlier, please contact our tech support directly. They will provide you with a free patch for your particular version.
If you face any problems during or after the installation, feel free to contact our support team for help.
Please note: all the issues fixed by the current patch have already been corrected in the newest X-Cart 4.3.0 version.