| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
#1
|
|||||||||
|
|||||||||
Security bulletin 4 Aug 2009
During internal audit activities we found a moderate security issue that makes X-Cart potentially
vulnerable to attackers who wish to gain access to the application back-end. The following security improvement has been included into this update: - protection from XSS attacks. SEVERITY: Moderate IMPACT Malicious users may inject an active content (for instance: JavaScript) into the application to fool users in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. AFFECTED VERSIONS All X-Cart versions SOLUTION We strongly recommend you to apply the security fix to secure your store. To apply this patch, follow the instructions below: 1) Download the security patch (the security-patch-2009-08-04_***.tgz archive file, e.g. security-patch-2009-08-04_4.2.2.tgz) from the "File area" section of your HelpDesk account. You can find the patch by the following path: * For X-Cart 4.2.2 version: X-Cart -> X-Cart 4.2.2 (current version) -> Updates and patches * For all the other versions: X-Cart -> X-Cart supporting files for prev versions -> {Your X-Cart branch} -> {Your X-Cart version} -> Updates and patches 2) Decompress the archive file. The following folders will be extracted: /DIFF-xcart - contains DIFF files to patch customized X-Cart files /xcart - contains the X-Cart files with fixed vulnerability. Note: DIFF file is a file containing the difference between two files. In our case the DIFF file contains changes made to the current file by comparing it to a former version of the same file. There are 2 ways to install the patch: a) place the fixed files over the current ones; b) manual installation using DIFF files. 3) Back up the corresponding files in your X-Cart before patching the store. 4) If the files from the xcart directory are not modified in your X-Cart, you may use the first method of applying the patch. This way the files from the patch will overwrite the same files in your X-Cart. You should copy the files from the patch into your X-Cart installation via FTP or another tool that you usually use to manage files on your web-server. The copied files will replace the original ones that contain the vulnerability, thus it will be fixed. NOTE: The patch will overwrite the files completely, i.e. they will become default. If you made any changes or customizations to the files, make sure you re-implement the changes after the patch has been applied, or just install the patch manually. 5) If the files have been modified, it is recommended to apply the patch manually using DIFF files. This way you will keep your modifications intact. To learn about this installation method, please follow an article from the Helpdesk FAQs at https://secure.qtmsoft.com/customer.php?area=info&target=view_faq_question&su bject=1073741899 ATTN: In case you are running X-Cart 3.3.x and earlier, please contact our tech support directly. They will provide you with a free patch for your particular version. If you face any problems during or after the installation, feel free to contact our support team for help. Please note: all the issues fixed by the current patch have already been corrected in the newest X-Cart 4.3.0 version.
__________________
Eugene Kaznacheev, Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009) ex-Head of X-Cart Tech Support Department ex- X-Cart Hosting Manager - X-Cart hosting ex-X-Cart Technical Support Engineer Note: For the official guaranteed tech support services please turn to the Customers HelpDesk. |
|||||||||
#2
|
|||||||||
|
|||||||||
Re: Security bulletin 4 Aug 2009
Hi guys,
I closed News&Announcements for anonymous access for a while. Un-registered visitors are not able to see this announcement.
__________________
Sincerely yours, Alex Mulin VP of Business Development for X-Cart X-Payments product manager |
|||||||||
#3
|
|||||||
|
|||||||
Re: Security bulletin 4 Aug 2009
Eugene,
Since this patch only affects one file (at least for version 4.1.9): /skin1/modules/Advanced_Statistics/advanced_stats.tpl If Advanced Stats were disabled, was there ever a vulnerability? I've had a few xcart users ask me this... Thanks. Jeremy
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4 |
|||||||
#4
|
|||||||||
|
|||||||||
Re: Security bulletin 4 Aug 2009
Quote:
The patch for all versions affects this file only. Quote:
No. If the Advanced Stats module is disabled and you don't use it, you are safe. However you may be in danger if you enable it later.
__________________
Eugene Kaznacheev, Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009) ex-Head of X-Cart Tech Support Department ex- X-Cart Hosting Manager - X-Cart hosting ex-X-Cart Technical Support Engineer Note: For the official guaranteed tech support services please turn to the Customers HelpDesk. |
|||||||||
|
#5
|
|||||||
|
|||||||
Re: Security bulletin 4 Aug 2009
I have spot checked a couple of versions and all are the same one file patch and all require advanced stats to be turned on to include the patched tpl so there is no vulnerability if advanced stats is turned off. OTOH, PCI-DSS requires applying vendor security patches within 30 days of release. This patch is so simple its not going to conflict with most any stores mods so just apply it and be done with it.
__________________
Manuka Bay Company X-Cart Version 4.0.19 [Linux] UGG Boots and other fine sheepskin products http://www.snowriver.com |
|||||||
#6
|
|||||||
|
|||||||
Re: Security bulletin 4 Aug 2009
Can you guys email these out? Maybe have us opt-in for security updates or marketing updates or something? Thanks.
__________________
xCart Pro Version 4.0.17, 4.0.19, 4.1.8, 4.1.10, 4.1.11, 4.1.12 - retired xCart Pro Version 4.3.1 - production xCart Pro Version 4.5.1 - testing RHEL Platform |
|||||||
#7
|
|||||||||
|
|||||||||
Re: Security bulletin 4 Aug 2009
You can do that in your forum profile
__________________
Steve Stoyanov CFLSystems.com Web Development |
|||||||||
#8
|
|||||||||
|
|||||||||
Re: Security bulletin 4 Aug 2009
Quote:
The email was sent to all our clients who subscribed for the 'Security alerts and advisory' newsletter. (We sent it via Mailchimp. Thank you carpeperdiem, you were right and it is a great tool)
__________________
Eugene Kaznacheev, Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009) ex-Head of X-Cart Tech Support Department ex- X-Cart Hosting Manager - X-Cart hosting ex-X-Cart Technical Support Engineer Note: For the official guaranteed tech support services please turn to the Customers HelpDesk. |
|||||||||
#9
|
|||||||
|
|||||||
Re: Security bulletin 4 Aug 2009
Hi Ene
Quote:
Thanks for the detailed description on how to apply the patch. I have applied the patch to my site how do i check to make sure that all is well with my site?
__________________
4.1.11 gold x-special offers CDSEO Pro |
|||||||
#10
|
|||||||||
|
|||||||||
Re: Security bulletin 4 Aug 2009
Quote:
Please enter your HelpDesk area and go to the 'Manage accounts -> Edit self profile' page. Quote:
Have you meant checking if the store is functioning correctly or if the security issue is solved?
__________________
Eugene Kaznacheev, Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009) ex-Head of X-Cart Tech Support Department ex- X-Cart Hosting Manager - X-Cart hosting ex-X-Cart Technical Support Engineer Note: For the official guaranteed tech support services please turn to the Customers HelpDesk. |
|||||||||
|
|||
X-Cart forums © 2001-2020
|