| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
#51
|
|||||||
|
|||||||
Re: POODLE vulnerability in SSLv3
Quote:
I have the same problem with a V4.0.17 XC. See my post earlier (first on page 5). http://forum.x-cart.com/showpost.php?p=379077&postcount=41 Cheers Don...
__________________
Don McKenzie http://www.dontronics-shop.com/ X-Cart 4.0.17 [Unix] █ Hosting by www.totalserversolutions.com The very best home for your X-Cart. (was ewdhosting.com) |
|||||||
#52
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
Quote:
|
|||||||||
#53
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
If I upgrade my server to disallow sslv3 - cPanel has a solution where for SSL/TLS i say "All -SSLv2 -SSLv3"
1) Do I need to do anything at all with X-cart code since the server already disallows sslv3? 2) I also have many LiteCommerce ASPE 2.1 shopcarts. Will LiteCommerce carts still work if the server no longer allows sslv3?
__________________
Jim - X-cart Gold 4.4.5 |
|||||||||
#54
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
> 2) I also have many LiteCommerce ASPE 2.1 shopcarts. Will LiteCommerce carts
> still work if the server no longer allows sslv3? I advise you to contact our techs via your HelpDesk account.
__________________
Sincerely yours, Alex Mulin VP of Business Development for X-Cart X-Payments product manager |
|||||||||
#55
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
Quote:
Quote:
File "modules/XPayments_Connector/xpc_func.php" is only available if you're using X-Payments to receive payments. In all other cases this patch is not applicable for you. By default, X-Cart versions use default SSL version, which should be actually TLS after the SSLv3 is disabled on your server (SSLv2 should be disabled already 5-7 years ago if you're using up-to-date libCURL). Since X-Cart 4.2.2 there is also an ability used by some built-in gateways to force SSLv3 in it's code (include/func/func.https_*.php files), which is should be removed or replaced with code, that enables TLS.
__________________
Sincerely yours, Vladimir Petrov Senior X-Payments Developer |
|||||||||
|
#56
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
Yeah, folks, if you are not using X-Payments you do not need to apply X-Payments connector patches. This thread was originally created about fixing the POODLE in case you do use X-Payments and your server disabled SSLv3. As you can see it is posted in "X-Payments" part of the forum.
__________________
Sincerely yours, Alex Mulin VP of Business Development for X-Cart X-Payments product manager Last edited by ambal : 10-30-2014 at 02:20 AM. |
|||||||||
#57
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
This information is relevant for you if you're using X-Cart of one of the versions affected:
Affected versions: 4.2.2 - 4.6.4 of all editions (Gold, GoldPlus, Platinum, Pro) NOT affected: 4.2.1 and earlier ; 4.6.5 (the latest currently) ; all versions of X-Cart 5.x Applying these patches is a must of you use: *PayPal Advanced; *UPS; *AuthorizeNet - AIM (in older X-Cart versions through 4.4.5). Two of the aforementioned services have already informed about the intention to disable the support of SSLv3 because of POODLE vulnerability (read more about it in the very end of this email). The timeframes differ, but once it happens, the current integation will stop working. It means that to continue using their services you must patch your store, the sooner - the better. I don't use the above, do I need the patch?[/color] Applying these patches is strongly recommended in any case, even if your store is not using the services listed above, because it may be using some other services that may also require the changes implemented by the patches. What the patch does: These patches provide updates for your HTTPS modules and help to avoid possible problems with https requests sent by your store to various services. The integrations with these services (inlcuding UPS, PayPal Advanced, Authorize.Net-CIM, but probably not limited to this list) may stop working in the nearest future when these services remove the support for the oudated and vulnerable SSLv3 protocol. !!! If you host with X-Cart and your plan includes free support, or if you have X-Cart support subscription, please submit a ticket to have your store patched FOR FREE. To apply the patch, follow the instructions below: It is HIGHLY RECOMMENDED to back up your database and files before patching the store. 1) Download the patch (the remove_ssl3-2014-10-30{version}.tgz archive file) from the "File area" section of your Qualiteam account. You can find the patch at X-Cart -> X-Cart supporting files for prev versions -> {Your X-Cart branch} -> {Your X-Cart version} -> Updates and patches 2) Decompress the archive file. The following files/folders will be extracted: /DIFF-xcart - contains DIFF files for patching customized X-Cart files /README - this README file /xcart - contains already patched X-Cart files DIFF-xcart.diff - contains all the DIFF files from the DIFF-xcart folder combined into one file patch.sql - contains SQL changes Note: A DIFF file is a file that contains the differences between two files. In our case, DIFF file contains changes made to the current file compared to the former version of the same file. 3)Make sure the database backup is created, and apply patch.sql to your database. 4) Install the patch, there are 2 ways to do it: 4.a) replace the affected files in your software copy with the patched files; If the files from the xcart directory are not modified in your X-Cart, you may use the first method of applying the patch. This way, the files from the patch will overwrite the same files in your X-Cart. You should copy the files from the patch to your X-Cart installation using FTP or other tool that you use for managing files on your web server. The copied files will replace the original ones that contain errors, thus the errors will be fixed. NOTE: The patch will overwrite the files completely, i.e. the target files will have the default settings. If now you are using a modified/customized version of the files, make sure to re-implement the changes after applying the patch, or just install the patch manually. 4.b) apply the patch manually using DIFF files. If the files were modified, it is recommended to apply the patch manually using the DIFF files. Thus, you will keep your modifications intact. To learn about this installation method, please read the article in the X-Cart Knowledge Base. NOTE: * Use either the DIFF-xcart.diff patch or the DIFF files from the DIFF-xcart folder. Do not apply both. 5) Make sure your payment and shipping integrations work correctly. If you encounter any problems during or after installation, feel free to contact our support team for help. --------------------------------------------------------------------------------------- PS: A cute poodle here: http://www.youtube.com/watch?v=Gw85SGlIo8Y
__________________
X-Cart team Last edited by Ksenia : 04-29-2015 at 09:54 PM. |
|||||||||
#58
|
|||||||
|
|||||||
Re: POODLE vulnerability in SSLv3
Thanks Ksenia, if SSLV3 has been disabled by my hosts should I still patch? I'm getting:
This server is not vulnerable to the POODLE attack because it doesn't support SSL 3. This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks. when I run the ssltest. Thanks Dan
__________________
4.4.2 and 4.6.1 |
|||||||
#59
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
Quote:
Hi Dan, Most probably you should. It's good your host switched to TLS, but the patches we provided are about 3rd party services your store integrates with, about disabling SSLv3 on their side (making X-Cart compatible with it, to be exact). PayPal Advanced and Autorize.NET CIM are in the confirmed list, even more companies are about to switch, too.
__________________
X-Cart team |
|||||||||
#60
|
|||||||
|
|||||||
Re: POODLE vulnerability in SSLv3
Quote:
I do not have the patch files listed in my file area for 4.3.1. When will they become available?
__________________
Thanks, Dan X-Cart Version 4.3.1 |
|||||||
|
|||
X-Cart forums © 2001-2020
|