Security bulletin 2009-12-02

BCSE · #11 02-13-2009, 11:15 AM

Quote:

Originally Posted by Ene

The newsletter sending has been started. Since the script sends a fixed number of emails per hour it will take some time to send all the emails as we have many clients.

Got one of them now.

Carrie

Jon · #12 02-14-2009, 09:46 AM

Since there are many files other than the cc_ ps_ format, it would be really great to get a breakdown of the files in the payment folder and their usage. File permissions could then just be set to 000 until upgrading and then set back.

georgewf · #13 02-15-2009, 06:07 AM

Attached is the log of an attack in progress. I received notification of change in status of orders.

[10-Feb-2009 06:58:47] (shop: 10-Feb-2009 06:58:47) ORDERS message:
Login:
IP: 141.164.71.238
Operation: change status of orders (0) to 'F'
----
Request URI: /shop/payment/cc_basia.php
Backtrace:
/public_html/shop/include/func/func.order.php:1015
/public_html/shop/payment/cc_basia.php:176
-------------------------------------------------

luis · #14 02-16-2009, 06:21 PM

I lookk for this file I could not find it xcart_dir>/payment/cc_basia.php

Why is that?

My version is 4.1.10

elmirage001 · #15 02-21-2009, 09:10 AM

Quote:

Originally Posted by Ene

The newsletter sending has been started. Since the script sends a fixed number of emails per hour it will take some time to send all the emails as we have many clients.

Dear Ene,

FYI - I did not receive the newsletter until the 19th... Is there a way to speed up the process?

Thank you!

cycloneuk · #16 02-21-2009, 11:59 AM

Quote:

Originally Posted by elmirage001

Dear Ene,

FYI - I did not receive the newsletter until the 19th... Is there a way to speed up the process?

Thank you!

Lucky you, i didn't get mine until this morning 21st February

bigredseo · #17 02-21-2009, 12:09 PM

OUCH!! That's way too long to be sitting with an exposed site! Definitely need to see about a program to send out emails faster. There's email regulation where you only send "X" mail per hour, but taking days to deliver is not good - weeks is even worse!

carpeperdiem · #18 02-21-2009, 01:37 PM

I just received my notice today... fortunately, I read the forums.

Qualiteam should really consider using a 3rd party for security bulletin emails. The big-boy 3rd parties can send 10's of thousands of emails per hour. WITH open/bounce/unsubscribe tracking. AND google analytics integration. For very low $.

balinor · #19 02-21-2009, 02:39 PM

Or better yet, how about a live update system IN X-Cart? Wordpress does it when there is a new release, and that is FREE software. Have an area for important messages on the home page of the admin, with links directly to the update kits/patches/etc. Simple and effective, and no one can claim they didn't see it or get the e-mail in their spam box.

carpeperdiem · #20 02-21-2009, 02:47 PM

Quote:

Originally Posted by balinor

Or better yet, how about a live update system IN X-Cart? Wordpress does it when there is a new release, and that is FREE software. Have an area for important messages on the home page of the admin, with links directly to the update kits/patches/etc. Simple and effective, and no one can claim they didn't see it or get the e-mail in their spam box.

vBulletin does the same thing. A "call home" tag that checks your version and if it's not the latest patch, vB will make it very clear that you have to patch...

I would imagine this is related to the vB call-home copy protection -- very well done/seamless to the admin.

I would support xcart if they implemented such a feature.