Hi everyone,
We conducted research on "why upgrade to 4.1.9 is so hard".
First of all upgrade to 4.1.9 is *
not defective* and it is applied properly if it is applied on standard X-Cart and if it is applied according to upgrade instructions.
I advise you to read discussion on this at
http://forum.x-cart.com/showthread.php?t=35125).
Also, X-Cart v4.1.9 is a working version which we recommend to use especially if you are concerned about
social engineering hacking methods. At the same time you do not have to upgrade to 4.1.9 at all, especially if you feel confident that you will not be swindled and if you are satisfied by how your current X-Cart version works. In this case we recommend you to apply security patch #2007-10-29 (I advise you to monitor discussion at
http://forum.x-cart.com/showthread.php?p=192813#post192813 as we are going to release improved version of the patch soon).
why upgrade to 4.1.9 is so hard?
In July 2007 we sent a newsletter about potential security issue in X-Cart which contained the following information:
Quote:
Recently we have found a moderate security issue that renders X-Cart-based stores and other similar Web applications requiring user authorization (shopping carts, CMS solutions, etc) potentially vulnerable to attackers wishing to gain access to the application back-end and sensitive information stored in the user profiles. The issue is not limited to X-Cart, but is typical for the majority of Web applications. The issue is based on the assumption that an attacker might use a "phishing" technique to lure the store administrator into opening a specially crafted Web link and performing a sequence of steps that might allow him to gain full access to the store back end.
In connection with this issue, we would like to remind you of the necessity to exercise extreme caution in opening Web links from unknown or unverified sources. We strongly advise that you do not follow any links from people you do not know. Even if someone asks you to open a link leading to your own store, open this link using a separate browser session (not the session you are using to work on your store - the session where you log in to the store back-end and enter sensitive data). If you have accidentally opened such a link in the same session and are now viewing what seems to be a page of your own store, do not do anything on this page (most important - do not log in or provide any sensitive information!) Close the browser window, then open the browser again and type in a trusted web address for you store website into the address bar of your browser to bypass the link provided in the suspected phishing message. Following these recommendations will fully protect you from attacks of this type.
We have already devised a solution to minimize the risk imposed by this issue and will implement it in one of the future releases of X-Cart software.
|
The difference in this upgrade is that 4.1.9 contains that solution, i.e. besides usual number of various bug-fixes and minor changes in "every-day" features core of X-Cart v4.1.9 contains a good deal of completely new code which implements multiple protection schemes against the aforementioned and some other phishing ways to hack your online shop using
social engineering methods.
The new code in X-Cart v4.1.9 core affected significant number of X-Cart PHP files in different places thus made upgrade to 4.1.9 harder than usual upgrade between minor versions. E.g. upgrade 4.1.8->4.1.9 affects 708 files and 50757 lines of code while upgrade 4.1.7->4.1.8 affects 391 files and 21313 lines of code and those changes between 4.1.8 and 4.1.9 are not just bug-fixes but portions of new code.
If you want to upgrade your store to v4.1.9 I recommend you to read
http://forum.x-cart.com/showthread.php?t=35125 before you start.