Security bulletin 2009-12-02

Ene · #1 02-12-2009, 05:07 AM

Dear X-Cart customers,

During internal security audit a critical security issue has been detected in X-Cart. The issue makes the software vulnerable to attackers who wish to gain access to the server file system. The solution is to remove an affected file.

SEVERITY

Critical

IMPACT

A malicious user can execute his own shell commands and, as a result, gain access to the server file system.

AFFECTED VERSIONS

X-Cart versions from 4.1.0 to 4.1.11. All X-Cart customers who are using these versions are encouraged to apply the fix described below.

SOLUTION

Delete the '<xcart_dir>/payment/cc_basia.php' file.
This file refers to an outdated integration of 'Bank of Asia' payment gateway, so its deletion will not cause any problems and will not affect your stores.
The '<xcart_dir>' text means the server directory in which your X-Cart is installed.
You can delete this file using FTP, SSH or the hosting control panel file manager.

NOTE: If you use a custom integration of 'Bank of Asia' payment gateway or '<xcart_dir>/payment/cc_basia.php' script, you should contact our support team for free help.

If you have any questions or concerns, please, feel free to turn to the X-Cart support team via your Helpdesk.

ambal · #2 02-12-2009, 05:21 AM

Hi Everyone,

I closed News&Announcements from public access for reading. This information is accessible by X-Cart license owners only.

JWait · #3 02-12-2009, 08:36 AM

It appears the same cc_basia.php file exisits in 4.2 also. Is it affected also?

Ene · #4 02-12-2009, 08:52 AM

Quote:

It appears the same cc_basia.php file exisits in 4.2 also. Is it affected also?

v4.2.0 doesn't have this file. Please check the distribution package.

JWait · #5 02-12-2009, 08:57 AM

My bad. I must have included it with the upgrade from 4.1.11. I deleted it anyway.

carpeperdiem · #6 02-12-2009, 10:00 AM

Eugene,

Would it be wise to delete all cc_payment-gateway.php files that are not in use?

There is no reason to have them if not used, AND it is RARE for a store to change payment gateways -- and if so, then a restore of the appropriate gateway is quite simple. What do you think?

Ene · #7 02-13-2009, 01:30 AM

Quote:

Would it be wise to delete all cc_payment-gateway.php files that are not in use?

There is no reason to have them if not used, AND it is RARE for a store to change payment gateways -- and if so, then a restore of the appropriate gateway is quite simple. What do you think?

I think it is a good idea. But it is important to mention the following things:

* please delete only the unnecessary 'cc_*.php/ch_*.php/ps_*.php' files. If you delete some other files, for example 'payment_cc.php', your payment gateway will not work

* it is necessary to restore these files or alter the upgrade pack, if you decide to upgrade

BCSE · #8 02-13-2009, 06:52 AM

We didn't get any email notice of this security problem. Did an email not go out? We always get the security notices. Usually we receive the same security email a couple of times actually. I'm glad I noticed this thread so we can update all of our hosted customer's accounts.

Thanks,

Carrie

Ene · #9 02-13-2009, 07:02 AM

Quote:

We didn't get any email notice of this security problem. Did an email not go out? We always get the security notices. Usually we receive the same security email a couple of times actually. I'm glad I noticed this thread so we can update all of our hosted customer's accounts.

The newsletter sending has been started. Since the script sends a fixed number of emails per hour it will take some time to send all the emails as we have many clients.

carpeperdiem · #10 02-13-2009, 08:24 AM

Quote:

Originally Posted by Ene

The newsletter sending has been started. Since the script sends a fixed number of emails per hour it will take some time to send all the emails as we have many clients.

Two Words:

Mail Chimp