Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls
 

POODLE vulnerability in SSLv3

 
Reply
   X-Cart forums > X-Payments > X-Payments issues & questions
 
Thread Tools
  #121  
Old 11-24-2014, 11:15 PM
  ambal's Avatar 
ambal ambal is online now
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,126
 

Default Re: POODLE vulnerability in SSLv3

Seldomseen, please make sure your server cURL supports TLS 1.0/1.1 as well (check with your hosting admin).
__________________
Sincerely yours,
Alex Mulin
VP of Business Development for X-Cart
X-Payments product manager
Reply With Quote

The following user thanks ambal for this useful post:
Seldomseen (11-25-2014)
  #122  
Old 11-25-2014, 11:51 AM
 
Seldomseen Seldomseen is offline
 

Newbie
  
Join Date: Mar 2008
Posts: 4
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by ambal
Seldomseen, please make sure your server cURL supports TLS 1.0/1.1 as well (check with your hosting admin).

Yes according to the host - even tested it.

So far here is what I have done:

Prior to X-Pay ssl disable:

1. installed: remove_ssl3-2014-10-30_4.5.5

After failure when it was disabled:

1. Verified with host cURL version. The also installed a perl module they though may have been a dependency.

2. Verified installation of patch per Post #98. I also reviewed the DIFF provided in that post, but the version of cc_authorizenet.php is different than mine.

3. Reviewed modules specified in Post #115 for "use_ssl" string. I think these were a part of the patch, so nothing found.

4. Verified with host that TLS is supported by cURL.

I am not sure what to do at this point.

Thanks for your help.

__________________
x-cart 4.5.5 Gold
Reply With Quote
  #123  
Old 11-25-2014, 10:51 PM
 
Seldomseen Seldomseen is offline
 

Newbie
  
Join Date: Mar 2008
Posts: 4
 

Default Re: POODLE vulnerability in SSLv3

My issue is now resolved. I somehow missed post #3 and needed to remove:

curl_setopt($ch, CURLOPT_SSLVERSION, 3);

from modules/XPayments_Connector/xpc_func.php.
__________________
x-cart 4.5.5 Gold
Reply With Quote
  #124  
Old 11-25-2014, 11:45 PM
  ambal's Avatar 
ambal ambal is online now
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,126
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by Seldomseen
My issue is now resolved. I somehow missed post #3 and needed to remove:

curl_setopt($ch, CURLOPT_SSLVERSION, 3);

from modules/XPayments_Connector/xpc_func.php.

Yep, the X-Payments connector patch has been published at the very beginning of this thread that was created as about addressing the POODLE in X-Payments originally but after some time it became "whole X-Cart community the POODLE thread" and you could miss the point that for X-Payments you need to patch X-Payments connector at X-Cart side.

I am happy to know you figured out after all! Have a great Cyber Monday next week!
__________________
Sincerely yours,
Alex Mulin
VP of Business Development for X-Cart
X-Payments product manager
Reply With Quote
  #125  
Old 01-05-2015, 04:55 PM
 
simcomedia simcomedia is offline
 

Advanced Member
  
Join Date: Sep 2006
Posts: 95
 

Default Re: POODLE vulnerability in SSLv3

I have this exact issue. But, with a twist. About 6 weeks ago I 'patched' this Xcart with a security patch downloaded from the files area. Therefore the .diff file you've recommended above won't work on our cart since it states 'could not patch' when trying to upload and install it.

No orders can get through right now so we're really searching for a solution here.

I did download the complete Xpayments package your link pointed to on Google Drive. But it's unclear if I should:

1) upload these files and write over the existing, or
2) remove the current Xpayments folder/files and treat this like a new install
3) save all the various settings in Xpayments configuration as a precaution, then upload all the new files to overwrite existing, run the installation program, and somehow it will know it's an 'update' and not a new installation.

Any help would be magnificent. Thank you in advance.
__________________
Custom Designs - Web Templates
www.templatedepot.com
Reply With Quote
  #126  
Old 01-05-2015, 09:48 PM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 14,197
 

Default Re: POODLE vulnerability in SSLv3

You just need to patch the files manually - http://help.x-cart.com/ - search for patching files
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote

The following user thanks cflsystems for this useful post:
ambal (01-06-2015)
  #127  
Old 01-06-2015, 02:46 AM
  ambal's Avatar 
ambal ambal is online now
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,126
 

Default Re: POODLE vulnerability in SSLv3

> I did download the complete Xpayments package your link pointed to on Google
> Drive. But it's unclear if

Please do not get confused. The package you are referring here is not X-Payments. It is X-Payments connector module for X-Cart 4.x that needs to be installed instead of your current X-Cart 4.x X-Payments connector in X-Cart.
__________________
Sincerely yours,
Alex Mulin
VP of Business Development for X-Cart
X-Payments product manager
Reply With Quote
  #128  
Old 03-10-2015, 05:41 PM
  cherie's Avatar 
cherie cherie is offline
 

X-Wizard
  
Join Date: May 2003
Location: USA
Posts: 1,534
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by Ksenia

NOT affected: 4.2.1 and earlier ; 4.6.5 (the latest currently) ; all versions of X-Cart 5.x

Applying these patches is a must of you use:
...
*UPS;
Looks like UPS turned off SSLv3 support and it broke fully-patched 4.0.19 and 4.1.12 stores, so a patch is needed for these versions after all.
  • 4.1 - Use the 4.2 patches
  • 4.0 - Manually patch the similarly named files found in /payment
__________________
redlimeweb.com
custom mods and design integration
4.7 linux
Reply With Quote

The following user thanks cherie for this useful post:
totaltec (03-10-2015)
  #129  
Old 03-10-2015, 06:15 PM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 14,197
 

Default Re: POODLE vulnerability in SSLv3

Yes finding the same today.
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote
  #130  
Old 03-12-2015, 03:57 AM
  totaltec's Avatar 
totaltec totaltec is offline
 

X-Guru
  
Join Date: Jan 2007
Location: Louisville, KY USA
Posts: 5,823
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by cflsystems
Yes finding the same today.
Me too, had several client sited whose UPS shipping went down.
__________________
Mike White - Now Accepting new clients and projects! Work with the best, get a US based development team for just $125 an hour. Call 1-502-773-6454, email mike at babymonkeystudios.com, or skype b8bym0nkey

XcartGuru
X-cart Tutorials | X-cart 5 Tutorials

Check out the responsive template for X-cart.
Reply With Quote
Reply
   X-Cart forums > X-Payments > X-Payments issues & questions



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 04:22 PM.

   

 
X-Cart forums © 2001-2020