POODLE vulnerability in SSLv3

ambal · #1 10-17-2014, 05:58 AM

Hi Everyone,

This part is for those who does use X-Payments:

----------------
As you may already know right after OpenSSL Heartblead vulnerability a new one has been found in SSL protocol - POODLE.

The POODLE vulnerability is a weakness in version 3 of the SSL protocol that allows an attacker in a man-in-the-middle context to decipher the plain text content of an SSLv3 encrypted message.

You can read more about POODLE at
https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-poodle-sslv3-vulnerability

Please note - this is NOT a vulnerability in X-Payments or X-Payments connector modules for X-Cart. This is a vulnerability in ciphering software used by almost any server in the Internet to establish secure connections.

What needs to be done:

1) X-Cart 4 users - apply xc4_xp_no_force_ssl3.diff patch to your X-Cart that will disable forced use of SSLv3 and enable automatic selection of TLS or SSL so if your hosting provider disabled SSLv3 support for your X-Payments installation your X-Cart will be able to connect with X-Payments using TLS.

Or you can download our new connectors for X-Cart 4 at
https://drive.google.com/a/x-cart.com/folderview?id=0B6p7sehSZL8_akhxR0VwQ0dta2M&usp=dri ve_web#list

They have been updated today to have the patch out of the box.

X-Cart 5 users - install the latest version of X-Payments connector available at the X-Cart 5 Marketplace.

2) make sure your server where you run X-Cart uses cURL v 7.18.1 or newer.
If you use X-Payments Enterprise/Downloadable license - check the same for your X-Payments server.

If your cURL is older - update it.
If you have no idea what is cURL - consult with your hosting admin.

And since I mentioned the OpenSSL Heartbleed - check your OpenSSL version - it should be at least 1.0.1g

--------------------

If you do not use X-Payments - go straight at http://forum.x-cart.com/showpost.php?p=379153&postcount=57

cflsystems · #2 10-17-2014, 06:04 AM

Where is the patch Alex?

ambal · #3 10-17-2014, 06:07 AM

Quote:

Originally Posted by cflsystems

Where is the patch Alex?

In the original message, Steve.

cflsystems · #4 10-17-2014, 06:08 AM

I guess you just changed the original message while I was typing

It is different now

Thanks

ambal · #5 10-17-2014, 06:11 AM

Quote:

Originally Posted by cflsystems

I guess you just changed the original message while I was typing

It is different now

Thanks

Yep, I was typing this long message and forgot to attach the file, but I noticed that immediately after the post had been made and edited the message.

xcel · #6 10-17-2014, 06:47 AM

Does this effect all XC users? If I'm not using X-Payments or X-Payments connector modules do I need to worry about this?

Mark N · #7 10-17-2014, 06:47 AM

Can't seem to get this patch to apply - looks like the xpc_func.php I have is different - I haven't applied any customizations to this file but it doesn't appear to match what is in the diff - here is my version info of the file (running XC 4.6.3):

* @version 58ab7bdc89b3d4cd894ef7d853bcc6f0c4dcca6b, v101 (xcart_4_6_2), 2014-02-03 17:25:33, xpc_func.php, aim

I'm nervous about putting a new connector in place, have seen conflicting information about whether or not it supports X-Payments 1.0.6. Can you clarify Alex?

-Mark

ambal · #8 10-17-2014, 06:57 AM

> Does this effect all XC users? If I'm not using X-Payments or X-Payments connector
> modules do I need to worry about this?

I would say the POODLE affects really everyone in the Internet. This is a bug in SSL v3 protocol. It is not X-Cart or X-Payments related only.

ambal · #9 10-17-2014, 07:06 AM

Mark,

Quote:

Originally Posted by Mark N

Can't seem to get this patch to apply - looks like the xpc_func.php I have is different - I haven't applied any customizations to this file but it doesn't appear to match what is in the diff - here is my version info of the file (running XC 4.6.3):

* @version 58ab7bdc89b3d4cd894ef7d853bcc6f0c4dcca6b, v101 (xcart_4_6_2), 2014-02-03 17:25:33, xpc_func.php, aim

In order to make the change manually in file
modules/XPayments_Connector/xpc_func.php

find a line of code
curl_setopt($ch, CURLOPT_SSLVERSION, 3);

and remove it.

If you see near the above line of code this:
curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'DEFAULT');
remove this, too.

Quote:

Originally Posted by Mark N

I'm nervous about putting a new connector in place, have seen conflicting information about whether or not it supports X-Payments 1.0.6. Can you clarify Alex?

It does support v1.0.6 but only for credit card processing. Anyways, we always recommend to test new modules before letting them go live. E.g. on a test server.

Mark N · #10 10-17-2014, 07:19 AM

Thanks for the quick response - made the changes suggested and tested after disabling SSLv3, all looks good now. Will test out the new connector - when you say "It does support v1.0.6 but only for credit card processing.", what does it not support exactly?