| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
#41
|
|||||||
|
|||||||
Re: POODLE vulnerability in SSLv3
Hi all,
I am an older member with an old cart, version 4.0.17 I use the Commonwealth Bank Australia, (via https://migs.mastercard.com.au) and Paypal as payment gateways, and recently had the APIs updated for the Paypal changes. I am hoping that this is all under control now as Paypal said they would swap over before 1-November 2014. Re the Poodle problem: Unfortunately there is no directory or file: modules/XPayments_Connector/xpc_func.php in my v4.0.17 I did a complete files text search on the string "SSLVERSION" and I only found 2 references of it in the file "core" (no extension file name) which is 5,255,176 bytes long. My host provider Emerson has indicated that he can disable the SSLv3 protocol on my server whenever I request it. I'll chase up my bank gateway, and see what is happening there, but I would appreciate any assistance or advice that members can give me, Thanks in advance, Cheers Don...
__________________
Don McKenzie http://www.dontronics-shop.com/ X-Cart 4.0.17 [Unix] █ Hosting by www.totalserversolutions.com The very best home for your X-Cart. (was ewdhosting.com) |
|||||||
#42
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
Thanks Steve!
1) regarding post #21, my 4.4.5 is a little different - saying Quote:
Quote:
Quote:
Will it work to comment that those out? 2) And in func.https_ssleay.php it only shows ssl3 in Quote:
Quote:
Should I also comment those out even tho they aren't "if" statements? Thanks!
__________________
Jim - X-cart Gold 4.4.5 |
|||||||||
#43
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
Different XC versions will have different code yes.
You can either comment out the ifs or you can also explicitly set the ssl3 variable to false right after the opening bracket of the function and it will not be used function NAME (PARAMETERS) { // set ssl3 to false so it is not used $use_ssl3 = false;
__________________
Steve Stoyanov CFLSystems.com Web Development |
|||||||||
#44
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
What about the 2 pieces of code that don't have 'if' (listed in my second item in post #42) that are in func.https_ssleay.php.
Should I also comment those out? thanks!!!
__________________
Jim - X-cart Gold 4.4.5 |
|||||||||
#45
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
You don't have to comment out anything, just add
$use_ssl3 = false; right after the opening function bracket
__________________
Steve Stoyanov CFLSystems.com Web Development |
|||||||||
#46
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
> What about using x-cart 4.4.5 without x-payments - just a direct use of
> AuthorizeNet AIM under payment gateways? This is not PCI compliant.
__________________
Sincerely yours, Alex Mulin VP of Business Development for X-Cart X-Payments product manager |
|||||||||
#47
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
Quote:
As is turns out thought PCI compliance means nothing It simply doesn't work - biggest retailers in the world are hacked big time .... With that said it doesn't mean you should not be compliant though
__________________
Steve Stoyanov CFLSystems.com Web Development |
|||||||||
#48
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
Quote:
Steve, according to our own experience (and you know we worked with thousands of merchants from entire world) it works like this: if something happens - you are liable and that's it. You were not compliant. Your fault.
__________________
Sincerely yours, Alex Mulin VP of Business Development for X-Cart X-Payments product manager |
|||||||||
#49
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
Oh yes that's exactly how it works no doubt
__________________
Steve Stoyanov CFLSystems.com Web Development |
|||||||||
#50
|
|||||||
|
|||||||
Re: POODLE vulnerability in SSLv3
Alex, I've manually applied the fixt you suggested to Mark above to one of our stores running v4.4.3 and it worked successfully, however I have an older store that's running v4.1.9 which cannot be upgraded due to the number of hacks/mods and customizations we've applied. We're scheduled for a complete redesign in the next few months, however based on an email from Authorize.Net we just received, they are closing SSL v3 support as of November 4th.
The trouble is, I cannot even find a file called xpc_func.php, not in the XPayments_Connector folder or anywhere else on v4.1.9. What suggestions do you have? And what version of SSL does this older version of X-Cart use by default or currently support? Thanks for your help, Segovia
__________________
4 Stores running X-Cart Gold v4.1.9 | v4.3.2 | v4.4.0 |
|||||||
|
|||
X-Cart forums © 2001-2020
|