| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
#1
|
|||||||||
|
|||||||||
Security bulletin 2009-12-02
Dear X-Cart customers,
During internal security audit a critical security issue has been detected in X-Cart. The issue makes the software vulnerable to attackers who wish to gain access to the server file system. The solution is to remove an affected file. SEVERITY Critical IMPACT A malicious user can execute his own shell commands and, as a result, gain access to the server file system. AFFECTED VERSIONS X-Cart versions from 4.1.0 to 4.1.11. All X-Cart customers who are using these versions are encouraged to apply the fix described below. SOLUTION Delete the '<xcart_dir>/payment/cc_basia.php' file. This file refers to an outdated integration of 'Bank of Asia' payment gateway, so its deletion will not cause any problems and will not affect your stores. The '<xcart_dir>' text means the server directory in which your X-Cart is installed. You can delete this file using FTP, SSH or the hosting control panel file manager. NOTE: If you use a custom integration of 'Bank of Asia' payment gateway or '<xcart_dir>/payment/cc_basia.php' script, you should contact our support team for free help. If you have any questions or concerns, please, feel free to turn to the X-Cart support team via your Helpdesk.
__________________
Eugene Kaznacheev, Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009) ex-Head of X-Cart Tech Support Department ex- X-Cart Hosting Manager - X-Cart hosting ex-X-Cart Technical Support Engineer Note: For the official guaranteed tech support services please turn to the Customers HelpDesk. |
|||||||||
#2
|
|||||||||
|
|||||||||
Re: Security bulletin 2009-12-02
Hi Everyone,
I closed News&Announcements from public access for reading. This information is accessible by X-Cart license owners only.
__________________
Sincerely yours, Alex Mulin VP of Business Development for X-Cart X-Payments product manager |
|||||||||
#3
|
|||||||||
|
|||||||||
Re: Security bulletin 2009-12-02
It appears the same cc_basia.php file exisits in 4.2 also. Is it affected also?
__________________
Two Separate X-Cart Stores Version 4.4.4 Gold - X-AOM - Vivid Dreams Aquamarine (modified) - Linux Mods - Newest Products - View All -, and a few others. Numerous upgrades from 4.0.x series. Integrated with Stone Edge Order Manager + POS Version 4.1.12 Gold (fresh install) - X-AOM - Linux Mods - XCSEO free |
|||||||||
#4
|
|||||||||
|
|||||||||
Re: Security bulletin 2009-12-02
Quote:
v4.2.0 doesn't have this file. Please check the distribution package.
__________________
Eugene Kaznacheev, Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009) ex-Head of X-Cart Tech Support Department ex- X-Cart Hosting Manager - X-Cart hosting ex-X-Cart Technical Support Engineer Note: For the official guaranteed tech support services please turn to the Customers HelpDesk. |
|||||||||
#5
|
|||||||||
|
|||||||||
Re: Security bulletin 2009-12-02
My bad. I must have included it with the upgrade from 4.1.11. I deleted it anyway.
__________________
Two Separate X-Cart Stores Version 4.4.4 Gold - X-AOM - Vivid Dreams Aquamarine (modified) - Linux Mods - Newest Products - View All -, and a few others. Numerous upgrades from 4.0.x series. Integrated with Stone Edge Order Manager + POS Version 4.1.12 Gold (fresh install) - X-AOM - Linux Mods - XCSEO free |
|||||||||
#6
|
|||||||
|
|||||||
Re: Security bulletin 2009-12-02
Eugene,
Would it be wise to delete all cc_payment-gateway.php files that are not in use? There is no reason to have them if not used, AND it is RARE for a store to change payment gateways -- and if so, then a restore of the appropriate gateway is quite simple. What do you think?
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4 |
|||||||
#7
|
|||||||||
|
|||||||||
Re: Security bulletin 2009-12-02
Quote:
I think it is a good idea. But it is important to mention the following things: * please delete only the unnecessary 'cc_*.php/ch_*.php/ps_*.php' files. If you delete some other files, for example 'payment_cc.php', your payment gateway will not work * it is necessary to restore these files or alter the upgrade pack, if you decide to upgrade
__________________
Eugene Kaznacheev, Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009) ex-Head of X-Cart Tech Support Department ex- X-Cart Hosting Manager - X-Cart hosting ex-X-Cart Technical Support Engineer Note: For the official guaranteed tech support services please turn to the Customers HelpDesk. |
|||||||||
#8
|
|||||||||
|
|||||||||
Re: Security bulletin 2009-12-02
We didn't get any email notice of this security problem. Did an email not go out? We always get the security notices. Usually we receive the same security email a couple of times actually. I'm glad I noticed this thread so we can update all of our hosted customer's accounts.
Thanks, Carrie
__________________
Custom Development, Custom Coding and Pre-built modules for X-cart since 2002! We support X-cart versions 3.x through 5.x! Home of the famous Authorize.net DPM & CIM Modules, Reward Points Module, Point of Sale module, Speed Booster modules and more! Over 200 X-cart Mods available & Thousands of Customizations Since 2002 - bcsengineering.com Please E-Mail us for questions/support! |
|||||||||
#9
|
|||||||||
|
|||||||||
Re: Security bulletin 2009-12-02
Quote:
The newsletter sending has been started. Since the script sends a fixed number of emails per hour it will take some time to send all the emails as we have many clients.
__________________
Eugene Kaznacheev, Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009) ex-Head of X-Cart Tech Support Department ex- X-Cart Hosting Manager - X-Cart hosting ex-X-Cart Technical Support Engineer Note: For the official guaranteed tech support services please turn to the Customers HelpDesk. |
|||||||||
#10
|
|||||||
|
|||||||
Re: Security bulletin 2009-12-02
Quote:
Two Words: Mail Chimp
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4 |
|||||||
|
|||
X-Cart forums © 2001-2020
|