Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

POODLE vulnerability in SSLv3

 
Reply
   X-Cart forums > X-Payments > X-Payments issues & questions
 
Thread Tools
  #111  
Old 11-17-2014, 12:32 PM
 
peakay peakay is offline
 

Advanced Member
  
Join Date: Aug 2007
Posts: 87
 

Default Re: POODLE vulnerability in SSLv3

Ksenia (or anyone else),

What if any patches need to be made to 4.1.8 connecting to PayPal for credit card processing? I've read through each page of this thread and am not coming up with a clear answer.

Thanks!

Quote:
Originally Posted by Ksenia
The list of patches available:

remove_ssl3-2014-10-30_4.2.3.tgz
remove_ssl3-2014-10-30_4.3.2.tgz
remove_ssl3-2014-10-30_4.4.5.tgz
remove_ssl3-2014-10-30_4.5.0.tgz
remove_ssl3-2014-10-30_4.5.1.tgz
remove_ssl3-2014-10-30_4.5.2.tgz
remove_ssl3-2014-10-30_4.5.3.tgz
remove_ssl3-2014-10-30_4.5.4.tgz
remove_ssl3-2014-10-30_4.5.5.tgz
remove_ssl3-2014-10-30_4.6.0.tgz
remove_ssl3-2014-10-30_4.6.1.tgz
remove_ssl3-2014-10-30_4.6.2.tgz
remove_ssl3-2014-10-30_4.6.3.tgz
remove_ssl3-2014-10-30_4.6.4.tgz


The users of X-Cart 4.3.0 and 4.3.1 should use the patch for v.4.3.2.
The users of X-Cart 4.4.0 - 4.4.4 should use the patch for v.4.4.5.

Most probably you will be able to apply the patch as is. But little patch adaptation for this version may be required.
__________________
X-Cart Gold v. 4.1.8
Customized by Ryan Design Studio
AOM
SEO Mod
Reply With Quote
  #112  
Old 11-19-2014, 01:15 AM
  zone1creative's Avatar 
zone1creative zone1creative is offline
 

eXpert
  
Join Date: Jan 2009
Location: Hove, UK
Posts: 341
 

Default Re: POODLE vulnerability in SSLv3

Hi When you says 'Paypal Advanced' does this cover paypal express and not paypal standard.

Or is this for paypal login only?
__________________
Pinakin Patel
Zone1 Creative Ltd
http://www.zone1creative.co.uk/
Reply With Quote
  #113  
Old 11-19-2014, 03:19 AM
 
aim aim is offline
Advanced Staff Users
 

X-Cart team
  
Join Date: Dec 2008
Posts: 928
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by peakay
Ksenia (or anyone else),

What if any patches need to be made to 4.1.8 connecting to PayPal for credit card processing? I've read through each page of this thread and am not coming up with a clear answer.

Thanks!

Do you have the stock 4.1.8 https modules ?
include/func/func.https_curl.php include/func/func.https_openssl.php
include/func/func.https_libcurl.php include/func/func.https_ssleay.php


Do you have the 'use_ssl' string in the files ?

Code:
aim-server[~/www/xcart_4_6_x]$ grep -r use_ssl ~/www/xcart/4_6_3_gold/include/func/func.https* /home/aim/www/xcart/4_6_3_gold/include/func/func.https_curl.php:function func_https_request_curl($method, $url, $data="", $join="&", $cookie="", $conttype="application/x-www-form-urlencoded", $referer="", $cert="", $kcert="", $headers="", $timeout = 0, $use_ssl3 = false) /home/aim/www/xcart/4_6_3_gold/include/func/func.https_curl.php: if ($use_ssl3) /home/aim/www/xcart/4_6_3_gold/include/func/func.https_libcurl.php:function func_https_request_libcurl($method, $url, $data="", $join="&", $cookie="", $conttype="application/x-www-form-urlencoded", $referer="", $cert="", $kcert="", $headers="", $timeout = 0, $use_ssl3 = false) /home/aim/www/xcart/4_6_3_gold/include/func/func.https_libcurl.php: return func_request_libcurl($method, $url, $data, $join, $cookie, $conttype, $referer, $cert, $kcert, $headers, $timeout, $use_ssl3, true); /home/aim/www/xcart/4_6_3_gold/include/func/func.https_libcurl.php:function func_request_libcurl($method, $url, $data="", $join="&", $cookie="", $conttype="application/x-www-form-urlencoded", $referer="", $cert="", $kcert="", $headers="", $timeout = 0, $use_ssl3 = false, $_https=true) /home/aim/www/xcart/4_6_3_gold/include/func/func.https_libcurl.php: if ($use_ssl3) /home/aim/www/xcart/4_6_3_gold/include/func/func.https_openssl.php:function func_https_request_openssl($method, $url, $data="", $join="&", $cookie="", $conttype="application/x-www-form-urlencoded", $referer="", $cert="", $kcert="", $headers="", $timeout = 0, $use_ssl3 = false) /home/aim/www/xcart/4_6_3_gold/include/func/func.https_openssl.php: if ($use_ssl3) /home/aim/www/xcart/4_6_3_gold/include/func/func.https_ssleay.php:function func_https_request_ssleay($method, $url, $data="", $join="&", $cookie="", $conttype="application/x-www-form-urlencoded", $referer="", $cert="", $kcert="", $headers="", $timeout = 0, $use_ssl3 = false) /home/aim/www/xcart/4_6_3_gold/include/func/func.https_ssleay.php: $execline .= " $ui[host] $ui[port] " . ($use_ssl3 ? '1' : '0') . ' ' . func_shellquote($cert) . ' ' . func_shellquote($kcert) . ' < ' . func_shellquote($tmpfile) . ' 2>' . func_shellquote($ignorefile); aim-server[~/www/xcart_4_6_x]$
__________________
Sincerely yours,
Ildar Amankulov
Head of Maintenance group
Reply With Quote

The following user thanks aim for this useful post:
peakay (11-20-2014)
  #114  
Old 11-19-2014, 03:21 AM
 
aim aim is offline
Advanced Staff Users
 

X-Cart team
  
Join Date: Dec 2008
Posts: 928
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by zone1creative
Hi When you says 'Paypal Advanced' does this cover paypal express and not paypal standard.

Or is this for paypal login only?

This is PayPal Advanced payment method only.
Attached Images
File Type: png pp.png (121.2 KB, 7 views)
__________________
Sincerely yours,
Ildar Amankulov
Head of Maintenance group
Reply With Quote
  #115  
Old 11-19-2014, 09:53 AM
 
peakay peakay is offline
 

Advanced Member
  
Join Date: Aug 2007
Posts: 87
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by aim
Do you have the stock 4.1.8 https modules ?
include/func/func.https_curl.php include/func/func.https_openssl.php
include/func/func.https_libcurl.php include/func/func.https_ssleay.php


Do you have the 'use_ssl' string in the files ?

Thank you - let me check.
__________________
X-Cart Gold v. 4.1.8
Customized by Ryan Design Studio
AOM
SEO Mod
Reply With Quote
  #116  
Old 11-19-2014, 09:59 AM
 
peakay peakay is offline
 

Advanced Member
  
Join Date: Aug 2007
Posts: 87
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by aim
Do you have the stock 4.1.8 https modules ?
include/func/func.https_curl.php include/func/func.https_openssl.php
include/func/func.https_libcurl.php include/func/func.https_ssleay.php


Do you have the 'use_ssl' string in the files ?

I oened each of these through CPanel file manager and did a Find on use_ssl - could not find it in the code.

Does this mean we are safe? Thanks for your time.
__________________
X-Cart Gold v. 4.1.8
Customized by Ryan Design Studio
AOM
SEO Mod
Reply With Quote
  #117  
Old 11-19-2014, 07:49 PM
 
aim aim is offline
Advanced Staff Users
 

X-Cart team
  
Join Date: Dec 2008
Posts: 928
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by peakay
I oened each of these through CPanel file manager and did a Find on use_ssl - could not find it in the code.

Does this mean we are safe? Thanks for your time.

You are safe.
__________________
Sincerely yours,
Ildar Amankulov
Head of Maintenance group
Reply With Quote

The following user thanks aim for this useful post:
peakay (11-20-2014)
  #118  
Old 11-19-2014, 11:52 PM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,119
 

Default Re: POODLE vulnerability in SSLv3

Yesterday we disabled SSLv3 at X-Payments servers.
__________________
Sincerely yours,
Alex Mulin
VP of Business Development for X-Cart
X-Payments product manager
Reply With Quote
  #119  
Old 11-20-2014, 07:32 AM
 
peakay peakay is offline
 

Advanced Member
  
Join Date: Aug 2007
Posts: 87
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by aim
You are safe.

thank you sir!
__________________
X-Cart Gold v. 4.1.8
Customized by Ryan Design Studio
AOM
SEO Mod
Reply With Quote
  #120  
Old 11-24-2014, 12:43 PM
 
Seldomseen Seldomseen is offline
 

Newbie
  
Join Date: Mar 2008
Posts: 4
 

Default Re: POODLE vulnerability in SSLv3

Help. X-Pay stopped working when SSL3 was disabled.

Xcart 4.5.5
Applied remove ssl3 patch

# curl -V
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

logged error:

[23-Nov-2014 00:06:19] PAYMENTS message:
Payment processing failure.
Login: xxxxxx@gmail.com
IP: xx.x.xx.xxx
----
Payment method: X-Payments: Authorize.Net AIM (X-Payments: Authorize.Net AIM)
bill_output = Array
(
[cvvmes] => not set /
[code] => 2
[billmes] => Internal error (Response is not valid.<br />Check logs.)
)
original_bill_output = Array
(
[cvvmes] => not set /
[code] => 2
[billmes] => Internal error (Response is not valid.<br />Check logs.)
)
Request URI: /payment/payment_cc.php
Backtrace:
/payment/payment_ccmid.php:459
/payment/payment_ccend.php:48
/payment/payment_cc.php:342
__________________
x-cart 4.5.5 Gold
Reply With Quote
Reply
   X-Cart forums > X-Payments > X-Payments issues & questions


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 01:52 AM.

   

 
X-Cart forums © 2001-2020