Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

POODLE vulnerability in SSLv3
 
Reply
   X-Cart forums > X-Payments > X-Payments issues & questions
 
Thread Tools
  #21  
Old 10-18-2014, 11:57 AM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 13,430
 

Default Re: POODLE vulnerability in SSLv3

XC uses SSL 3 in these files as well

func.https_X.php

where X is libcurl, curl, openssl, ssleay

It is OFF by default but other code in XC may set it to true when used. Solution will be to find the line in the file that sets the option for SSL3 and comment it out for example in

func.https_libcurl.php there is this

PHP Code:
if ($use_ssl3)
        
curl_setopt ($chCURLOPT_SSLVERSION3); 

so just comment it out

PHP Code:
//   if ($use_ssl3)
       // curl_setopt ($ch, CURLOPT_SSLVERSION, 3); 

This is untested so make sure you do some test orders if changing it

QT can we get clarification on this and a patch for XC if possible
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote

The following 2 users thank cflsystems for this useful post:
ADDISON (10-20-2014), xim (10-20-2014)
  #22  
Old 10-19-2014, 07:53 AM
 
shwekhaw shwekhaw is offline
 

Senior Member
  
Join Date: Nov 2004
Posts: 142
 

Default Re: POODLE vulnerability in SSLv3

We edited conf file to exclude SSLv3 from SSLProtocol. We did online test and it passes. Do we still need to patch X-payment connector files?
__________________
X-Cart Gold Plus 4.5.5
Checkout ONE
Checkout ONE DPM
BCSE CIM
Apache
Linux
Reply With Quote
  #23  
Old 10-19-2014, 11:15 PM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,099
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by shwekhaw
We edited conf file to exclude SSLv3 from SSLProtocol. We did online test and it passes. Do we still need to patch X-payment connector files?

Yes, if you use X-Payments. This thread was originally created about dealing with the POODLE in X-Payments.
__________________
Sincerely yours,
Alex Mulin
VP of business development for X-Cart
X-Payments project manager
Reply With Quote
  #24  
Old 10-20-2014, 12:11 AM
 
xim xim is offline
 

X-Cart team
  
Join Date: Nov 2004
Posts: 669
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by cflsystems
XC uses SSL 3 in these files as well

func.https_X.php

where X is libcurl, curl, openssl, ssleay

It is OFF by default but other code in XC may set it to true when used. Solution will be to find the line in the file that sets the option for SSL3 and comment it out for example in

func.https_libcurl.php there is this

PHP Code:
if ($use_ssl3)
        
curl_setopt ($chCURLOPT_SSLVERSION3); 

so just comment it out

PHP Code:
//   if ($use_ssl3)
       // curl_setopt ($ch, CURLOPT_SSLVERSION, 3); 

This is untested so make sure you do some test orders if changing it

QT can we get clarification on this and a patch for XC if possible

This is the correct patch.

Our team is working on the 4.6.5 release planned to this week. This version will have the necessary corrections to do not use SSLv3
__________________
Sincerely yours, Max Vydrin
Reply With Quote

The following 4 users thank xim for this useful post:
ADDISON (10-20-2014), aim (10-20-2014), ambal (10-21-2014), cflsystems (10-20-2014)
  #25  
Old 10-20-2014, 03:05 AM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,099
 

Default Re: POODLE vulnerability in SSLv3

Re: Magento users of X-Payments

Nothing needed to be patched in the connector module as our Magento connector for X-Payments relies on using built-in Magento HTTPS module. So I advise to check with Magento regarding whether or not Magento needs to be patched.
__________________
Sincerely yours,
Alex Mulin
VP of business development for X-Cart
X-Payments project manager
Reply With Quote
  #26  
Old 10-20-2014, 10:11 AM
  mcanitano's Avatar 
mcanitano mcanitano is offline
 

eXpert
  
Join Date: Feb 2006
Location: Melbourne, FL
Posts: 216
 

Default Re: POODLE vulnerability in SSLv3

We are having an issue with this on XC 4.5.5.

We installed the newest X-Payments Connector, and received the following errors in: x-errors_xpay_connector-xxxxxx.php

Code:
[20-Oct-2014 13:29:34] xpay_connector message: X-Payments error (code: 1514): The merchantEmail field is missing or incorrect Request URI: /payment/payment_cc.php Backtrace: /.../modules/XPayments_Connector/xpc_func.php:2257 /.../modules/XPayments_Connector/xpc_func.php:2223 /.../modules/XPayments_Connector/xpc_func.php:1948 /.../modules/XPayments_Connector/xpc_func.php:1941 /.../modules/XPayments_Connector/xpc_func.php:417 /.../payment/cc_xpc.php:574 /.../payment/payment_cc.php:347 ------------------------------------------------- [20-Oct-2014 13:29:34] xpay_connector message: Internal error. Request URI: /payment/payment_cc.php Backtrace: /.../modules/XPayments_Connector/xpc_func.php:2257 /.../modules/XPayments_Connector/xpc_func.php:1997 /.../modules/XPayments_Connector/xpc_func.php:1950 /.../modules/XPayments_Connector/xpc_func.php:1941 /.../modules/XPayments_Connector/xpc_func.php:417 /.../payment/cc_xpc.php:574 /.../payment/payment_cc.php:347 -------------------------------------------------

Then in x-errors_payments-xxxxxx.php:

Code:
[20-Oct-2014 13:29:34] PAYMENTS message: Payment processing failure. Login: [PRIVATE] IP: [PRIVATE] ---- Payment method: Credit Card (X-Payments: Authorize.Net AIM) bill_output = Array ( [cvvmes] => not set / {code} => 2 [billmes] => Internal error (I) ) original_bill_output = Array ( [cvvmes] => not set / {code} => 2 [billmes] => Internal error (I) ) Request URI: /payment/payment_cc.php Backtrace: /.../payment/payment_ccmid.php:459 /.../payment/payment_ccend.php:48 /.../payment/payment_cc.php:349 -------------------------------------------------

EDIT: We successfully reverted to old setup, but would still like to know how to fix the above errors.
__________________
Marcello Canitano
New Site: X-Cart v4.5.5 GOLD
X-Cart Mobile v1.4.3
X-Payments v1.0.6
CDSEO Pro v2
Total Server Solutions xCDN

www.silverhorseracing.com
Reply With Quote
  #27  
Old 10-20-2014, 01:32 PM
  hdpixel's Avatar 
hdpixel hdpixel is offline
 

Newbie
  
Join Date: Jul 2007
Posts: 9
 

Default Re: POODLE vulnerability in SSLv3

I fixed two stores using this fix. Thank you so much.

X-cart 4.54 and 4.52 with x-payment 1.06.
__________________
X-Cart Gold 4.5.x/4.4.x/4.31/4.19
Reply With Quote

The following user thanks hdpixel for this useful post:
ambal (10-21-2014)
  #28  
Old 10-21-2014, 08:01 AM
 
Dougrun Dougrun is online now
 

X-Adept
  
Join Date: Apr 2012
Posts: 628
 

Default Re: POODLE vulnerability in SSLv3

for those not using xpayments, im on 4.6.4, i added

SSLProtocol all -SSLv2 -SSLv3

to my pre-virtual host include file on apache,
pre_virtualhost_global.conf

passed the test, This is a CENTOS 6.4 x86_64 standard godaddy dedicated server.
__________________
4.7.x xcart store
Business 5.3xx
Reply With Quote
  #29  
Old 10-21-2014, 08:12 AM
  tam10's Avatar 
tam10 tam10 is offline
 

eXpert
  
Join Date: Mar 2007
Posts: 252
 

Default Re: POODLE vulnerability in SSLv3

I past the test
"This server is not vulnerable to the POODLE attack because it doesn't support SSL 3"

Does it mean i do not need to do anything?

I did fall this (what is it?)

IE 6 / XP No FS 1 No SNI 2 Protocol or cipher suite mismatch
__________________
Tammy
x-cart gold + 4.7.2
x-cart 5.2.10

Reply With Quote
  #30  
Old 10-21-2014, 09:27 PM
 
Chris B Chris B is offline
 

eXpert
  
Join Date: Oct 2002
Posts: 226
 

Default Re: POODLE vulnerability in SSLv3

We are having trouble with an x-cart installation using Version 4.5.5 with X-PAYMENTS v.1.0.2.

After turning off SSL3 on the server we no longer had the ability to enter credit card information within the checkout process.

We therefore patched our x-cart installation manually by:


1.) removing the line of code

curl_setopt($ch, CURLOPT_SSLVERSION, 3);

from

modules/XPayments_Connector/xpc_func.php


We did not see the following line within our version of x-cart:

curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'DEFAULT');

So this step was bypassed.


2.) We then tested with no luck.

3.) We then Removed

if ($use_ssl3)
curl_setopt ($ch, CURLOPT_SSLVERSION, 3);


from the func.https_X.php file and tested again. Still no luck

4.) We then installed the newest X-Payments Connector, and white screened the entire cart.

Any suggestions?
__________________
4.0x - 4.5x
Reply With Quote
Reply
   X-Cart forums > X-Payments > X-Payments issues & questions


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 12:53 AM.

   

 
X-Cart forums © 2001-2018