POODLE vulnerability in SSLv3

cherie · #81 11-01-2014, 02:41 PM

The initial error doesn't make sense for your situation so either way you're just trying to track it down. That is not an X-Cart error but a server error. At the least the host should be able to help identify the cause. It seems that there is something clearly different about this store and how it triggers the error that is unique from the other stores.

Thomasb134 · #82 11-01-2014, 03:44 PM

Quote:

... Does that make sense it would still be the mod_security?

If you have confirmed that /shop/product.php exists on the server, but is reported as file not found (404 error) when it is accessed, then I agree with Cherie that it is probably blocked by mod_security.

moonslice · #83 11-02-2014, 06:09 AM

You guys were right! It was a mod_security error! Is there any way to white-list my IP from csf mod_security?

I'm whitelisted from configserver firewall in general - but I guess not from csf mod_security.

Thanks so much for your great help.

Thomasb134 · #84 11-02-2014, 03:02 PM

Installed the patch in my V4.4.5 site today. Just as a heads up, the provided func.https_curl.php and func.https_lbcurl.php files are missing the PayPal IPN https patch from March 2014, so they were manually patched with the POODLE related code. But the other files were a simple copy/replace for me.

aim · #85 11-03-2014, 12:08 AM

Quote:

Originally Posted by BCSE

We're confused why your post states CIM? X-cart does not have CIM in it. The Authorize.net CIM module is one we built and is not affected.

Thanks,

Carrie

You are right
this is the 'AuthorizeNet - AIM' module.

We will fix this misprint in the description.

ambal · #86 11-03-2014, 12:42 AM

Risa,

You cannot find X-Payments connector file in your X-Cart 4.0.19 because most probably you do not use X-Payments and do not have X-Payments connector installed. If so, you do not need to patch X-Payments connector files in your X-Cart, but you still need to take care of the rest of X-Cart patches.

Quote:

Originally Posted by risabb

YogaHub,

I have version 4.0.19 and could not find the xpc_func.php file either. I was using Dreamweaver to connect to the server. However, when I used FileZilla to FTP to the server, I DID see that file.

Risa

DanUK · #87 11-03-2014, 01:29 AM

Hi, applied the 4.4.5 patches to my 4.4.2 installation and now I cannot checkout using SagePay Form, it hangs on "your order is being placed". If I restore the original files I replaced i.e.

func.https_curl.php
func.https_libcurl.php
func.https_openssl.php
func.https_ssleay.php

and

netssleay.pl

It works fine. How do I troubleshoot this further?

TheSarcasmShop · #88 11-06-2014, 11:59 AM

I had the Poodle patch applied and got tthe successful installatiuon message last week. Since Authorize.net disabled SSLv3 on 11/4 I cannot process orders. I get this message: "Order processing error Order declined. Review your data or contact the store administrator."

I contacted Authorize.net and they asked me to provide an error string but I don't know where to find it.

My Host and SSL provider are Hostgator and they said they have already made the needed changes to their system for Poodle.

Any ideas?

Thomasb134 · #89 11-06-2014, 12:13 PM

Quote:

I contacted Authorize.net and they asked me to provide an error string but I don't know where to find it.

I see that you are running V4.3.1 (please put this in your forum signature). The transaction details should be found in your /xcart/admin/logs.php page.

Regs · #90 11-06-2014, 12:43 PM

I'm having the same issues and can't iron it out.

Xcart 4.2.3 - not using xpayments

Error log shows:

Code:

responses of https requests = Array
    (
        [31-12-1969 16:00:00 1415309722] => Array
            (
                [0] => 0
                [1] => X-Cart HTTPS: libcurl error(35): error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
            )
    
    )
Request URI: /payment/payment_cc.php
Backtrace:
/home/coachesgear/public_html/payment/payment_ccmid.php:272
/home/coachesgear/public_html/payment/payment_ccend.php:41
/home/coachesgear/public_html/payment/payment_cc.php:201

Any ideas? Testing on the server to connect to the gateway gives:

Code:

root@srv [~]# wget https://secure.psigate.com:7934
--2014-11-06 11:16:21-- https://secure.psigate.com:7934/ Resolving secure.psigate.com... 216.220.59.210 Connecting to secure.psigate.com|216.220.59.210|:7934... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol Unable to establish SSL connection.
but when I force SSL version:

root@srv [~]# wget --secure-protocol=SSLv3 https://secure.psigate.com:7934
--2014-11-06 11:17:05-- https://secure.psigate.com:7934/ Resolving secure.psigate.com... 216.220.59.210 Connecting to secure.psigate.com|216.220.59.210|:7934... connected.
HTTP request sent, awaiting response... 404 Not Found
2014-11-06 11:17:08 ERROR 404: Not Found.
... or even:

root@srv [~]# wget --secure-protocol=TLSv1 https://secure.psigate.com:7934
--2014-11-06 11:17:22-- https://secure.psigate.com:7934/ Resolving secure.psigate.com... 216.220.59.210 Connecting to secure.psigate.com|216.220.59.210|:7934... connected.
HTTP request sent, awaiting response... 404 Not Found
2014-11-06 11:17:23 ERROR 404: Not Found.

Any thoughts?