| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
#21
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
XC uses SSL 3 in these files as well
func.https_X.php where X is libcurl, curl, openssl, ssleay It is OFF by default but other code in XC may set it to true when used. Solution will be to find the line in the file that sets the option for SSL3 and comment it out for example in func.https_libcurl.php there is this PHP Code:
so just comment it out PHP Code:
This is untested so make sure you do some test orders if changing it QT can we get clarification on this and a patch for XC if possible
__________________
Steve Stoyanov CFLSystems.com Web Development |
|||||||||
#22
|
|||||||
|
|||||||
Re: POODLE vulnerability in SSLv3
We edited conf file to exclude SSLv3 from SSLProtocol. We did online test and it passes. Do we still need to patch X-payment connector files?
__________________
X-Cart Gold Plus 4.5.5 Checkout ONE Checkout ONE DPM BCSE CIM Apache Linux |
|||||||
#23
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
Quote:
Yes, if you use X-Payments. This thread was originally created about dealing with the POODLE in X-Payments.
__________________
Sincerely yours, Alex Mulin VP of Business Development for X-Cart X-Payments product manager |
|||||||||
#24
|
|||||||
|
|||||||
Re: POODLE vulnerability in SSLv3
Quote:
This is the correct patch. Our team is working on the 4.6.5 release planned to this week. This version will have the necessary corrections to do not use SSLv3
__________________
Sincerely yours, Max Vydrin |
|||||||
|
#25
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
Re: Magento users of X-Payments
Nothing needed to be patched in the connector module as our Magento connector for X-Payments relies on using built-in Magento HTTPS module. So I advise to check with Magento regarding whether or not Magento needs to be patched.
__________________
Sincerely yours, Alex Mulin VP of Business Development for X-Cart X-Payments product manager |
|||||||||
#26
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
We are having an issue with this on XC 4.5.5.
We installed the newest X-Payments Connector, and received the following errors in: x-errors_xpay_connector-xxxxxx.php Code:
Then in x-errors_payments-xxxxxx.php: Code:
EDIT: We successfully reverted to old setup, but would still like to know how to fix the above errors.
__________________
Marcello Canitano New Site: X-Cart v4.5.5 GOLD X-Cart Mobile v1.4.3 X-Payments v1.0.6 CDSEO Pro v2 Total Server Solutions xCDN www.silverhorseracing.com |
|||||||||
#27
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
I fixed two stores using this fix. Thank you so much.
X-cart 4.54 and 4.52 with x-payment 1.06.
__________________
X-Cart Gold 4.5.x/4.4.x/4.31/4.19 |
|||||||||
|
#28
|
|||||||
|
|||||||
Re: POODLE vulnerability in SSLv3
for those not using xpayments, im on 4.6.4, i added
SSLProtocol all -SSLv2 -SSLv3 to my pre-virtual host include file on apache, pre_virtualhost_global.conf passed the test, This is a CENTOS 6.4 x86_64 standard godaddy dedicated server.
__________________
4.7.x xcart store Business 5.4xx |
|||||||
#29
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
I past the test
"This server is not vulnerable to the POODLE attack because it doesn't support SSL 3" Does it mean i do not need to do anything? I did fall this (what is it?) IE 6 / XP No FS 1 No SNI 2 Protocol or cipher suite mismatch
__________________
Tammy x-cart gold + 4.7.2 x-cart 5.2.10 |
|||||||||
#30
|
|||||||
|
|||||||
Re: POODLE vulnerability in SSLv3
We are having trouble with an x-cart installation using Version 4.5.5 with X-PAYMENTS v.1.0.2.
After turning off SSL3 on the server we no longer had the ability to enter credit card information within the checkout process. We therefore patched our x-cart installation manually by: 1.) removing the line of code curl_setopt($ch, CURLOPT_SSLVERSION, 3); from modules/XPayments_Connector/xpc_func.php We did not see the following line within our version of x-cart: curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'DEFAULT'); So this step was bypassed. 2.) We then tested with no luck. 3.) We then Removed if ($use_ssl3) curl_setopt ($ch, CURLOPT_SSLVERSION, 3); from the func.https_X.php file and tested again. Still no luck 4.) We then installed the newest X-Payments Connector, and white screened the entire cart. Any suggestions?
__________________
4.0x - 4.5x |
|||||||
|
|||
X-Cart forums © 2001-2020
|