Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

security-patch-2007-10-29.tgz

 
Reply
   X-Cart forums > News and Announcements
 
Thread Tools
  #21  
Old 11-06-2007, 06:14 AM
 
geckoday geckoday is offline
 

X-Wizard
  
Join Date: Aug 2005
Posts: 1,073
 

Default Re: security-patch-2007-10-29.tgz

Quote:
Originally Posted by geckoday
Why is func.php full of changes that have nothing to do with patching security, such as discount calculations? A security patch should be just that and that alone. Now I've either got to test a dozen other things or manually pick out the security related changes from the patch.
Ahhh! The diff file that was just posted looks like the changes are limited just to the security issues.
__________________
Manuka Bay Company
X-Cart Version 4.0.19 [Linux]

UGG Boots and other fine sheepskin products
http://www.snowriver.com
Reply With Quote
  #22  
Old 11-06-2007, 06:16 AM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Re: security-patch-2007-10-29.tgz

The 4.0.18 patch hard-codes the xcart/ subdirectory into the .diff file, so if you don't have your cart installed in that directory, you get a 'not found' for all the files.

Come on guys, can you please take the time to get these right? A security patch is important and shouldn't be this difficult to implement.
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development
Reply With Quote
  #23  
Old 11-06-2007, 06:23 AM
 
Kelson Kelson is offline
 

Member
  
Join Date: Feb 2006
Location: Michigan, USA
Posts: 29
 

Default Re: security-patch-2007-10-29.tgz

I installed the patch and got a lot of error messages across the top of the screen. I don't know enough about X-Cart to know what was wrong but reading this forum tells me the patch is messed up. I'll try it again once the patch works right.
__________________
Kelson Herr
Antiphonic Music Co.
www.antiphonic.com

x-cart v4.0.15 [win]
Reply With Quote
  #24  
Old 11-06-2007, 10:59 AM
 
michiganbob michiganbob is offline
 

Newbie
  
Join Date: Apr 2006
Posts: 8
 

Default Re: security-patch-2007-10-29.tgz

It seems like this update is causing people quite a few headaches. Before I start the process of manually patching all of my clients' carts, can anyone tell me what the actual security issue is? All I got out of the email is that someone could use "SQL injection" to gain access to sensitive information. Do I need to waste an entire day fixing this, or are we all worried about nothing?

Thanks.
__________________
LiteCommerce - 10 Carts:
---------------------------------
Version 2.1 Service Pack 2

XCart - 14 Carts:
---------------------
Version 4.0.17
Version 4.0.18
Version 4.1.2
Version 4.1.3
Reply With Quote
  #25  
Old 11-06-2007, 04:41 PM
 
abossola abossola is offline
 

Advanced Member
  
Join Date: May 2006
Posts: 59
 

Default Re: security-patch-2007-10-29.tgz

Has anyone successfuy upgraded from 4.0.19 yet?
__________________
https://xskinz.com

4.0.19
linux
PHP 4.4.2
MySQL server 4.1.21-standard
MySQL client 4.1.21
Apache
Reply With Quote
  #26  
Old 11-06-2007, 04:47 PM
 
abossola abossola is offline
 

Advanced Member
  
Join Date: May 2006
Posts: 59
 

Default Re: security-patch-2007-10-29.tgz

And why can't I even find a version of 4.18? All I see is 4.19? Ahhh... this should'nt be so difficult.
__________________
https://xskinz.com

4.0.19
linux
PHP 4.4.2
MySQL server 4.1.21-standard
MySQL client 4.1.21
Apache
Reply With Quote
  #27  
Old 11-06-2007, 04:55 PM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Re: security-patch-2007-10-29.tgz

4.0.18 is in the .diff posted above, but it doesn't work as I mentioned. You are right though, this should be a no-brainer...people are going to do more damage with this patch then they'd do leaving the site alone
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development
Reply With Quote
  #28  
Old 11-06-2007, 05:05 PM
 
abossola abossola is offline
 

Advanced Member
  
Join Date: May 2006
Posts: 59
 

Default Re: security-patch-2007-10-29.tgz

So basically Xcart just announced to the world that their app is insecure and that we have no way to upgrade other then building the site from scratch?
__________________
https://xskinz.com

4.0.19
linux
PHP 4.4.2
MySQL server 4.1.21-standard
MySQL client 4.1.21
Apache
Reply With Quote
  #29  
Old 11-06-2007, 05:09 PM
 
carpeperdiem carpeperdiem is offline
 

X-Guru
  
Join Date: Jul 2006
Location: New York City, USA
Posts: 5,399
 

Default Re: security-patch-2007-10-29.tgz

Quote:
Originally Posted by abossola
So basically Xcart just announced to the world that their app is insecure and that we have no way to upgrade other then building the site from scratch?

Yes. And they announced this to the world before notifying their customers via email.

I did not need to be doing this at the start of my busiest 60 days of the year.
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4
Reply With Quote
  #30  
Old 11-06-2007, 06:31 PM
  BCSE's Avatar 
BCSE BCSE is online now
 

X-Guru
  
Join Date: Apr 2003
Location: Ohio - bcsengineering.com
Posts: 3,060
 

Default Re: security-patch-2007-10-29.tgz

Thank goodness they are providing DIFF files. I've been back and forth with a support person this past week about this. And they keep coming back with basically "sorry we aren't providing DIFF files but we can do it for you for 40 support points"

I also do not know why this security patch is of "moderate" impact status. It seems pretty critical to me that people could get sensitive data!

Carrie
__________________
Custom Development, Custom Coding and Pre-built modules for X-cart since 2002!

We support X-cart versions 3.x through 5.x!

Home of the famous Authorize.net DPM & CIM Modules, Reward Points Module, Point of Sale module, Speed Booster modules and more!


Over 200 X-cart Mods available & Thousands of Customizations Since 2002 - bcsengineering.com

Please E-Mail us for questions/support!
Reply With Quote
Reply
   X-Cart forums > News and Announcements


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 11:52 AM.

   

 
X-Cart forums © 2001-2020