X-Cart forums

[cflsystems]

Doing an upgrade from 4.1.9 to 4.6.0. The new security features are really pain in the ass. QT - PLEASE revised them and also make sure the config.php in the installation and the one in the upgrade packs have these features OFF by default - ALL of them.

I had to do the upgrade on a separate server and once db upgraded move it back to the production server - apparently the new security features are tied to IP (otherwise I don't see why login will fail) and generate the signatures in customers tables based on that... Please correct me if I am wrong

This causes failed logins once db is moved to a different server. While the 4.6.0 installation can be done with most of these features being OFF an upgrade cannot - the config.php in the upgrade packs has them all set to IP or ON and modifying them in the file causes MD5 checksum to fail so the upgrade cannot be performed...

I am all for security but when this security stands in the way of the normal store operation it is more of a software malfunction rather than improvement.

The only way to login was to go through "reset password" which by the way caused the following sql error

Quote:

[24-Jun-2013 19:46:32] SQL error:
Site : URL
Remote IP : IP
Logged as : LOGIN
SQL query : REPLACE INTO xcart_login_history (`userid`, `date_time`, `usertype`, `action`, `status`, `ip`) VALUES ('27124', '1372128392', 'P', 'check_critical_config_values_authenticity: * Notify the site administrator about SQL errors in the store by email *Possible fake allowed IP addresses and/or the list of IP addresses awaiting registration *Check if payment gateway response is coming from the IP's specified here (enter a comma separated list) *Login error notification to site administrator *Possible fake allowed IP addresses and/or the list of IP addresses awaiting registration *Site administrator email address *SMTP server *Notify the site administrator by email if unallowed request to site occurs *Use SMTP server instead of internal PHP mailer *IP addresses for X-Payments callbacks (optional)', 'restricted', '1136079444')
Error code : 1064
Description : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's specified here (enter a comma separated list) *Login error notification t' at line 1
Request URI: /store/xcart/admin/home.php
Backtrace:
/store/xcart/include/func/func.db.php:320
/store/xcart/include/func/func.db.php:217
/store/xcart/include/func/func.db.php:711
/store/xcart/include/func/func.user.php:1580
/store/xcart/include/func/func.security.php:141
/store/xcart/admin/auth.php:103
/store/xcart/admin/home.php:44
-------------------------------------------------

Note the marked in red/bold - unescaped '


I continue to see this error as well

Quote:

[24-Jun-2013 18:03:13] Error: Smarty error: [in main/orders_list.tpl line 54]: [plugin] modifier 'order_status_color' is not implemented (core.load_plugins.php, line 11 in /include/lib/smarty/Smarty.class.php on line 1093

Also doing an upgrade from 4.5.x to 4.6.0 results in no sql or php errors on the 4.6.0 cart but installing new unmodified 4.6.6 gold+ shows this php error

Quote:

[24-Jun-2013 19:52:16] PHP Fatal error: Cannot call method self::arg1PlusArg2() or method does not exist in /include/func/func.product.php on line 663

and this sql

Code:

    SQL query   : SELECT DISTINCT xcart_products.productid FROM xcart_products INNER JOIN xcart_products_lng_en ON xcart_products_lng_en.productid = xcart_products.productid INNER JOIN xcart_products_categories ON  xcart_products_categories.productid = xcart_products.productid AND xcart_products_categories.avail = 'Y'  LEFT JOIN xcart_category_memberships ON xcart_category_memberships.categoryid = xcart_products_categories.categoryid LEFT JOIN xcart_product_memberships ON xcart_product_memberships.productid = xcart_products.productid WHERE (xcart_category_memberships.membershipid = '0' OR xcart_category_memberships.membershipid IS NULL) AND (xcart_product_memberships.membershipid = '0' OR xcart_product_memberships.membershipid IS NULL) AND xcart_products.forsale='Y' AND xcart_products_categories.main='Y' AND xcart_products_categories.categoryid='9871' AND price >= '399.00' AND product >= 'Bronze Lite Class: H.264 8 Channel DVR - Apple IPHONE MAC OSX Windows PC Compatible' ORDER BY price ASC, xcart_products_lng_en.product ASC LIMIT 2
    Error code  : 1054
    Description : Unknown column 'price' in 'where clause'
Request URI: /store/xcart/product.php?productid=53748&cat=0&featured=Y
Backtrace:
/store/xcart/include/func/func.db.php:320
/store/xcart/include/func/func.db.php:217
/store/xcart/include/func/func.db.php:516
/store/xcart/include/func/func.product.php:1527
/store/xcart/include/func/func.product.php:555
/store/xcart/include/func/func.product.php:459
/store/xcart/include/func/func.product.php:425
/store/xcart/product.php:327

Table pricing is missing from the above query so "price" is unknown.....

This is with fresh downloaded upgrade packs and new release installation pack

@Ksenia - I was not complaining although it will be a reasonable complain - RE product configurator. There are many XC owners with old carts which either bought this module before or had it included free with the cart and using it. The new XC line took this module out (fine) but not one upgrade pack checks if this module is in modules table and if it is ON and in the upgraded db and if not some sort of notification at least to turn it OFF. Every single upgrade I have done since this new line was introduced has the module (or the comparation module) ON and this causes the cart to not work after an upgrade - until this module is turned off or files are uploaded. The least the upgrade pack can do is turn off these module - not to delete their reference but so they don't load, and a note for admin on first login.... just an idea


Another one - not sure how you want to handle this - but since 4.6.0 has some module's new info like tags, url, author... with an upgrade the modules already in the db do not have this info - maybe it is not a bad idea to allow admin to re-categorize modules so the existing ones do not receive just generic "ALL" tag.... just something to think about, not a bug or anything....

[carpeperdiem]

Quote:

Originally Posted by cflsystems

I am all for security but when this security stands in the way of the normal store operation it is more of a software malfunction rather than improvement.

Steve,
Are you reading my old posts from my "4.5.4 to 4.5.5 upgrade rant", and copy/pasting?
Dear X-Cart: it's not that upgrades are difficult -- you are MAKING them near impossible by ADDING totally non-essential garbage to the core. The so-called security "features" that were added in 4.5.5 and 4.6.0 are useless to the average merchant.

It is OBVIOUS that the xcart product manager approving these so-called "security features" is living in an ecommerce vacuum. But I had this "discussion" with various non-managers here in the forum. I would really like to have a true non-threatening conversation with THE person(s) at X-Cart who a) decided this would be an important addition to a minor bug-fix release; b) defend the NEED for these additional so-called security "features" -- not just "these features make the cart more secure", but "we were seeing hundreds and hundreds of customers' stores compromised..."; c) show us a real world need.

But it's too late. We are now 2 versions removed from a relatively stable core... and EVEN IF these so-called "security" features are beneficial, the upgrade process to add these features should have been designed to be an optional add-on, not integrally tied to an "upgrade".

We are wasting our energy.

[Ksenia]

Quote:

Originally Posted by cflsystems

Doing an upgrade from 4.1.9 to 4.6.0. The new security features are really pain in the ass. QT - PLEASE revised them and also make sure the config.php in the installation and the one in the upgrade packs have these features OFF by default - ALL of them.

We will not roll back all the security improvements or disable them by default per the request of a single user from the forum (even if this user is you, Steve - despite we do respect your opinion . We consider that enhanced security IS improvement and IS required. It should protect most merchants from being hacked.

At the same time, there's a way for developers like you to finish the upgrade, let me please try to help.

Quote:

Originally Posted by cflsystems

I had to do the upgrade on a separate server and once db upgraded move it back to the production server - apparently the new security features are tied to IP (otherwise I don't see why login will fail) and generate the signatures in customers tables based on that... Please correct me if I am wrong

This causes failed logins once db is moved to a different server. While the 4.6.0 installation can be done with most of these features being OFF an upgrade cannot - the config.php in the upgrade packs has them all set to IP or ON and modifying them in the file causes MD5 checksum to fail so the upgrade cannot be performed...

If you upgrade the database on a dev server, when you move the upgraded DB back to production server you need to edit config.php of production copy as follows:

1)copy $blowfish_key and security keys ($xc_security_key_session, $xc_security_key_config, $xc_security_key_general) from dev copy

or
2) Set these constants to 'false' so that the secret keys will not be checked:

const CHECK_CUSTOMERS_INTEGRITY
const CHECK_XAUTH_USER_IDS_INTEGRITY
const CHECK_RESET_PASSWORDS_INTEGRITY
const CHECK_CONFIG_INTEGRITY

We consider that #1 is a better choice, but it's up to you to decide.

And since you're editing config.php, you may also want to disable the 'block unknown admin IP' feature, (const BLOCK_UNKNOWN_ADMIN_IP is responsible for it) or expand the list of allowed admin IPs ( const ADMIN_ALLOWED_IP).

Quote:

Originally Posted by cflsystems

The only way to login was to go through "reset password" which by the way caused the following sql error

Code:

[24-Jun-2013 19:46:32] SQL error:
Site : URL
Remote IP : IP
Logged as : LOGIN
SQL query : REPLACE INTO xcart_login_history (`userid`, `date_time`, `usertype`, `action`, `status`, `ip`) VALUES ('27124', '1372128392', 'P', 'check_critical_config_values_authenticity: * Notify the site administrator about SQL errors in the store by email *Possible fake allowed IP addresses and/or the list of IP addresses awaiting registration *Check if payment gateway response is coming from the IP's specified here (enter a comma separated list) *Login error notification to site administrator *Possible fake allowed IP addresses and/or the list of IP addresses awaiting registration *Site administrator email address *SMTP server *Notify the site administrator by email if unallowed request to site occurs *Use SMTP server instead of internal PHP mailer *IP addresses for X-Payments callbacks (optional)', 'restricted', '1136079444')
Error code : 1064
Description : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's specified here (enter a comma separated list) *Login error notification t' at line 1
Request URI: /store/xcart/admin/home.php
Backtrace:
/store/xcart/include/func/func.db.php:320
/store/xcart/include/func/func.db.php:217
/store/xcart/include/func/func.db.php:711
/store/xcart/include/func/func.user.php:1580
/store/xcart/include/func/func.security.php:141
/store/xcart/admin/auth.php:103
/store/xcart/admin/home.php:44
-------------------------------------------------

Ildar has prepared a patch for this issue, please download it here

Quote:

Originally Posted by cflsystems

I continue to see this error as well

Code:

[24-Jun-2013 18:03:13] Error: Smarty error: [in main/orders_list.tpl line 54]: [plugin] modifier 'order_status_color' is not implemented (core.load_plugins.php, line 11 in /include/lib/smarty/Smarty.class.php on line 1093 

This error was fixed in version 4.5.5.

Quote:

Originally Posted by cflsystems

Also doing an upgrade from 4.5.x to 4.6.0 results in no sql or php errors on the 4.6.0 cart but installing new unmodified 4.6.6 gold+ shows this php error

Code:

[24-Jun-2013 19:52:16] PHP Fatal error: Cannot call method self::arg1PlusArg2() or method does not exist in /include/func/func.product.php on line 663

and this sql

Code:

    SQL query   : SELECT DISTINCT xcart_products.productid FROM xcart_products INNER JOIN xcart_products_lng_en ON xcart_products_lng_en.productid = xcart_products.productid INNER JOIN xcart_products_categories ON  xcart_products_categories.productid = xcart_products.productid AND xcart_products_categories.avail = 'Y'  LEFT JOIN xcart_category_memberships ON xcart_category_memberships.categoryid = xcart_products_categories.categoryid LEFT JOIN xcart_product_memberships ON xcart_product_memberships.productid = xcart_products.productid WHERE (xcart_category_memberships.membershipid = '0' OR xcart_category_memberships.membershipid IS NULL) AND (xcart_product_memberships.membershipid = '0' OR xcart_product_memberships.membershipid IS NULL) AND xcart_products.forsale='Y' AND xcart_products_categories.main='Y' AND xcart_products_categories.categoryid='9871' AND price >= '399.00' AND product >= 'Bronze Lite Class: H.264 8 Channel DVR - Apple IPHONE MAC OSX Windows PC Compatible' ORDER BY price ASC, xcart_products_lng_en.product ASC LIMIT 2
    Error code  : 1054
    Description : Unknown column 'price' in 'where clause'
Request URI: /store/xcart/product.php?productid=53748&cat=0&featured=Y
Backtrace:
/store/xcart/include/func/func.db.php:320
/store/xcart/include/func/func.db.php:217
/store/xcart/include/func/func.db.php:516
/store/xcart/include/func/func.product.php:1527
/store/xcart/include/func/func.product.php:555
/store/xcart/include/func/func.product.php:459
/store/xcart/include/func/func.product.php:425
/store/xcart/product.php:327

This error is specific for PHP v.5.2. Ildar has provided the patches for both problems in this discussion earlier, see post #43 of this very thread



[quote=cflsystems]
@Ksenia - I was not complaining although it will be a reasonable complain - RE product configurator. There are many XC owners with old carts which either bought this module before or had it included free with the cart and using it. The new XC line took this module out (fine) but not one upgrade pack checks if this module is in modules table and if it is ON and in the upgraded db and if not some sort of notification at least to turn it OFF. Every single upgrade I have done since this new line was introduced has the module (or the comparation module) ON and this causes the cart to not work after an upgrade - until this module is turned off or files are uploaded. The least the upgrade pack can do is turn off these module - not to delete their reference but so they don't load, and a note for admin on first login.... just an idea [quote]

Thank you for this observation. The adding of these 2 modules has just been removed from 'db_upgrade_packs' of versions:
4.1.12
4.2.3
4.3.2

In DB upgrader from 4.4.5 ( where the modules were available out of the box) they will be disabled by default.

Thus this issue should no longer bother you.

Quote:

Originally Posted by cflsystems

Another one - not sure how you want to handle this - but since 4.6.0 has some module's new info like tags, url, author... with an upgrade the modules already in the db do not have this info - maybe it is not a bad idea to allow admin to re-categorize modules so the existing ones do not receive just generic "ALL" tag.... just something to think about, not a bug or anything....

The idea is nice, I've forwarded it to X-Cart architects, however the fixes of bugs are of higher priority in our next version.

Steve, thank you for digging into it. We appreciate your help.

Have a nice day.

[cflsystems]

I don't want you to remove the new security features. Just don't have it all ON by default while installing/upgrading and allow - have a big red notice if you want in admin - setting them after all is installed and admin can login normally. You are not doing anyone any good by making it almost impossible to login in some cases (many by the way) after installation or upgrade, which makes everyone angry at QT....

Appreciate the respect really but I don't expect QT to change things just because of me or any other developer... it's not the way it works. But if you read the forum you will find not only me but many others complaining about this so... So a survey about it...

Another thing I forgot to mention yesterday - it is impossible (or I didn't see it) to generate these new security keys without re-generating the blowfish key. Which for an upgrade it is a must - the blowfish key has to stay the same as the live site and the security keys may need to be regenerated... Just one more thing to think about...

[RichieRich]

Am I right in thinking the Banner system only allows for fixed pixel width in the setting instead of both pixel and percentage?

Please add the ability to make it percentage, because as your demo shows, the banner is limited in the ideal responsive, where it could stretch the width of the element in the device change, instead it is pixel fixed. This will make a good improvement.

[RichieRich]

I am curious how on the x-cart goldplus demo the loading file sizes are considerably different than what I acheived. I actually disabled almost every module and the x-cart demo had most of them enabled.

X-cart demo:
JavaScript File 266.0K
Stylesheet File 37.6K

My demo:
JavaScript File 444.7K
Stylesheet File 221.9K

Now it does say that mine have not been compressed with gzip and x-cart demo has, however the speed up tools were checked, is there another option, or is there something I am not doing?

[carpeperdiem]

Quote:

Originally Posted by RichieRich

Now it does say that mine have not been compressed with gzip and x-cart demo has

bingo

[timbrrr]

Does anyone else have this scenario?:
When you go to an order in admin, click on print a receipt
Does the receipt come up with all the customer/order info, but then also with the antifraud information at the bottom of the receipt?

[carpeperdiem]

Take a look at file,
/skin/common_files/mail/html/order_invoice.tpl

Look for the antifraud info.
Comment it out.
Someone must have put it there?

[cflsystems]

Quote:

Originally Posted by Ksenia

If you upgrade the database on a dev server, when you move the upgraded DB back to production server you need to edit config.php of production copy as follows:

1)copy $blowfish_key and security keys ($xc_security_key_session, $xc_security_key_config, $xc_security_key_general) from dev copy

or
2) Set these constants to 'false' so that the secret keys will not be checked:

const CHECK_CUSTOMERS_INTEGRITY
const CHECK_XAUTH_USER_IDS_INTEGRITY
const CHECK_RESET_PASSWORDS_INTEGRITY
const CHECK_CONFIG_INTEGRITY

We consider that #1 is a better choice, but it's up to you to decide.

And since you're editing config.php, you may also want to disable the 'block unknown admin IP' feature, (const BLOCK_UNKNOWN_ADMIN_IP is responsible for it) or expand the list of allowed admin IPs ( const ADMIN_ALLOWED_IP).

@Ksenia
I tried option #1 and it did NOT work. Again if these security features are tied to the IP address they will never work when moved from one server to another unless keys are regenerated which is impossible without login in to admin or doing "forgot password".... Since even with all of them OFF you still can't login to admin the only way left is "forgot password"....