 |
 |
|
 |
|
 |
|
| ||||||||||
|
Shopping cart software Solutions for online shops and malls | |||||||||
|
|
|
||||||||
|
#32
12-21-2008, 11:47 AM
|
|||||||
|
|||||||
Re: Security bulletin 2008-12-18
That's writable which is probably the issue. Should have been 644. All php/tpl files should be 644 on a live site:
http://forum.x-cart.com/showthread.php?t=9163
__________________
Padraic Ryan Ryan Design Studio Professional E-Commerce Development |
|||||||
|
#38
12-21-2008, 12:43 PM
|
|||||||||
|
|||||||||
|
Re: Security bulletin 2008-12-18
I think the process that QT uses for management of their files for release might explain why there are many problems with what might other wise be easy security patches. You have to be careful applying these patches if you are in this situation:
Say that you were running 4.1.10, then did an upgrade to 4.1.11 around the time of its release - example early September. You would have downloaded an upgrade pack for 4.1.10-4.1.11 from your help desk. Unfortunately - QT continues to change what it calls 4.1.11. So, over the last few weeks - there may have been updates to many files. If you download an upgrade pack for 4.1.10-4.1.11 today - it is not the same as what you download in early September. When you download a security patch for 4.1.11 - it is for the latest version of 4.1.11 - perhaps not the 4.1.11 version that you installed in September. The current security patch looks like it would be okay for the XCART fresh 4.1.11 I installed earlier this month. But, the diff files have some discrepancies with a 4.1.11 cart I have that is an upgrade from a 4.1.10 cart, so I am wary to apply it without going through all the other differences - which is not an easy or quick task.
__________________
X-CART (4.1.9,12/4.2.2-3/4.3.1-2/4.4.1-5)-Gold (CDSEO, Altered-Cart On Sale, BCSE Preorder Backorder, QuickOrder, X-Payments, BCSE DPM Module) |
|||||||||
|
#39
12-21-2008, 08:11 PM
|
|||||||||
|
|||||||||
|
Re: Security bulletin 2008-12-18
Cause of remote file inclusion attack for KathyHS site was webhost had registered globals enabled in php configuration.
Also I advise all users running x-cart to enable suexec if running apache webserver. Rubyaryat
__________________
Rubymods.com - Your X-Cart services partner for over 9 years. Modules offered: FedEx labels, Live currency rates, GeoIP, Order Audit, Multiple e-goods. X-Cart Store Hosting, project management and affiliates program available. 4.2.3 gold [Unix] |
|||||||||
|
#40
12-22-2008, 01:07 AM
|
|||||||||
|
|||||||||
|
Re: Security bulletin 2008-12-18
please note since the update no users can now register again, which is what happened with the last update too...
__________________
Richard Ultimate 5.4 testing |
|||||||||
|
|
|||
|
X-Cart forums © 2001-2020
|
|||
