Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

POODLE vulnerability in SSLv3
 
Reply
   X-Cart forums > X-Payments > X-Payments issues & questions
 
Thread Tools
  #11  
Old 10-17-2014, 07:27 AM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,106
 

Default Re: POODLE vulnerability in SSLv3

> Will test out the new connector - when you say "It does support v1.0.6 but only for
> credit card processing.", what does it not support exactly?

Well, this is not a good thread to discuss that.

Everything we added in v2.x - PCI compliant credit card saving, recurring orders, PA-DSS 2.0, better API to work with shopping carts like X-Cart, etc. Just check our blog for X-Payments updates.
__________________
Sincerely yours,
Alex Mulin
VP of business development for X-Cart
X-Payments project manager
Reply With Quote
  #12  
Old 10-17-2014, 08:21 AM
 
fwm fwm is offline
 

Advanced Member
  
Join Date: Apr 2011
Posts: 78
 

Default Re: POODLE vulnerability in SSLv3

Is there a patch needed for the Magento x-Payments connector?

-atm

QUOTE=ambal]Hi Everyone,

As you may already know right after OpenSSL Heartblead vulnerability a new one has been found in SSL protocol - POODLE.

The POODLE vulnerability is a weakness in version 3 of the SSL protocol that allows an attacker in a man-in-the-middle context to decipher the plain text content of an SSLv3 encrypted message.

You can read more about POODLE at
https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-poodle-sslv3-vulnerability

Please note - this is NOT a vulnerability in X-Payments or X-Payments connector modules for X-Cart. This is a vulnerability in ciphering software used by almost any server in the Internet to establish secure connections.

What needs to be done:

1) X-Cart 4 users - apply Attachment 3956 patch to your X-Cart that will disable forced use of SSLv3 and enable automatic selection of TLS or SSL so if your hosting provider disabled SSLv3 support for your X-Payments installation your X-Cart will be able to connect with X-Payments using TLS.

Or you can download our new connectors for X-Cart 4 at
https://drive.google.com/a/x-cart.com/folderview?id=0B6p7sehSZL8_akhxR0VwQ0dta2M&usp=dri ve_web#list

They have been updated today to have the patch out of the box.

X-Cart 5 users - install a new version of X-Payments connector as soon as we release it or remove this line of code:
PHP Code:
curl_setopt($chCURLOPT_SSLVERSION3); 
in file of X-Cart 5
classes/XLite/Module/CDev/XPaymentsConnector/Core/XPaymentsClient.php

UPD: X-Cart 5 patch - Attachment 3957

2) make sure your server where you run X-Cart uses cURL v 7.18.1 or newer.
If you use X-Payments Enterprise/Downloadable license - check the same for your X-Payments server.

If your cURL is older - update it.
If you have no idea what is cURL - consult with your hosting admin.

And since I mentioned the OpenSSL Heartbleed - check your OpenSSL version - it should be at least 1.0.1g[/quote]
__________________
X-Cart 4.1.9
X-Cart 4.4.1
X-Cart Platinum 4.6.1
Reply With Quote
  #13  
Old 10-17-2014, 08:27 AM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,106
 

Default Re: POODLE vulnerability in SSLv3

A very good blog post about the POODLE

https://blog.totalserversolutions.com/poodle-sslv3-vulnerability-breaks-browser-security/
__________________
Sincerely yours,
Alex Mulin
VP of business development for X-Cart
X-Payments project manager
Reply With Quote
  #14  
Old 10-17-2014, 08:53 AM
  tam10's Avatar 
tam10 tam10 is offline
 

eXpert
  
Join Date: Mar 2007
Posts: 252
 

Default Re: POODLE vulnerability in SSLv3

If i only use PayPal do i need the patch or it's not relevant to my cart?
__________________
Tammy
x-cart gold + 4.7.2
x-cart 5.2.10

Reply With Quote
  #15  
Old 10-17-2014, 11:10 PM
  random's Avatar 
random random is offline
Advanced Staff Users
 

X-Cart team
  
Join Date: Dec 2008
Posts: 79
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by tam10
If i only use PayPal do i need the patch or it's not relevant to my cart?

If you are accepting PayPal payments through X-Payments then you definitely need this patch.
__________________
Sincerely yours,
Vladimir Petrov
Senior X-Payments Developer
Reply With Quote

The following user thanks random for this useful post:
tam10 (10-26-2014)
  #16  
Old 10-18-2014, 03:29 AM
  ADDISON's Avatar 
ADDISON ADDISON is offline
 

X-Man
  
Join Date: Jan 2008
Posts: 2,613
 

Default Re: POODLE vulnerability in SSLv3

If you are a sysadmin take a look to this article:

http://www.howtoforge.com/how-to-secure-your-ispconfig-3-server-against-the-poodle-ssl-attack
__________________
X-Cart Next: Business 5.2 (learning and testing)
X-Cart Classic: Gold and Gold Plus 4.7
Lots of Modules and Customizations
OS in use: Red Hat Enterprise, Fedora, CentOS, Debian, Ubuntu, Linux Mint, Kali Linux
Ideas for Server configuration (basicaly): Nginx/Pound (reverse proxy), Apache/Nginx (webserver), Squid/Varnish (cache server), HHVM or (PHP-FPM + PHP 5.6 + opcache), MariaDB/Percona MySQL Server, Redis (storing sessions)

You can catch my ideas here: http://ideas.x-cart.com
Reply With Quote

The following 2 users thank ADDISON for this useful post:
ambal (10-19-2014), kevfromwiganinlancashire (10-18-2014)
  #17  
Old 10-18-2014, 05:01 AM
  kevfromwiganinlancashire's Avatar 
kevfromwiganinlancashire kevfromwiganinlancashire is offline
 

X-Adept
  
Join Date: Nov 2004
Location: Appley Bridge
Posts: 563
 

Default Re: POODLE vulnerability in SSLv3

You can test here https://www.ssllabs.com/ssltest/

Kev
__________________
Php 5.4.16-36.el7_1
MySQL 5.5.41-2.el7_0
Apache
2.4.6-31.el7.centos



4.6.x stalled for now

5.2.6 developing
Reply With Quote

The following 2 users thank kevfromwiganinlancashire for this useful post:
ADDISON (10-18-2014), ambal (10-19-2014)
  #18  
Old 10-18-2014, 05:51 AM
  kevfromwiganinlancashire's Avatar 
kevfromwiganinlancashire kevfromwiganinlancashire is offline
 

X-Adept
  
Join Date: Nov 2004
Location: Appley Bridge
Posts: 563
 

Default Re: POODLE vulnerability in SSLv3

There is some good advice here too https://access.redhat.com/solutions/1232413

Happy to say I'm A- now (cert renewal will bring to A)
__________________
Php 5.4.16-36.el7_1
MySQL 5.5.41-2.el7_0
Apache
2.4.6-31.el7.centos



4.6.x stalled for now

5.2.6 developing
Reply With Quote

The following user thanks kevfromwiganinlancashire for this useful post:
ambal (10-19-2014)
  #19  
Old 10-18-2014, 09:07 AM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 13,615
 

Default Re: POODLE vulnerability in SSLv3

Careful with turning off SSL3 on server level as some 3rd party services and payment gateways may require SSL3. If this is disabled on server level you need to immediately test the site, all https pages and place test orders to make sure all work.
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote

The following 3 users thank cflsystems for this useful post:
ambal (10-19-2014), kevfromwiganinlancashire (10-18-2014), totaltec (10-18-2014)
  #20  
Old 10-18-2014, 10:23 AM
 
Thomasb134 Thomasb134 is online now
 

X-Adept
  
Join Date: Apr 2007
Location: USA
Posts: 760
 

Default Re: POODLE vulnerability in SSLv3

Quote:
You can test here https://www.ssllabs.com/ssltest/
Thanks for the link. I tried it on my server and it says "This server is not vulnerable to the POODLE attack because it doesn't support SSL 3." Looks like I dodged that bullet.
__________________
Thomas / USA
XCart V4.4.5 Gold
XCart Mobile V1.4.12
XCart X-PDF
XCart X-HotProducts
AlteredCart Checkout One (One Page Checkout)
BCSE Back In Stock
CFL Holiday Message
CFL System Message
Smack Digital (WebsiteCM) Remember Anon Carts
xcartmods Testimonials
Unix, PHP 7.0 (patched 5.4). Currently patching PHP 7.1
MySQL 5.6
Reply With Quote
Reply
   X-Cart forums > X-Payments > X-Payments issues & questions


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 06:23 PM.

   

 
X-Cart forums © 2001-2018