Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

POODLE vulnerability in SSLv3
 
Reply
   X-Cart forums > X-Payments > X-Payments issues & questions
 
Thread Tools
  #41  
Old 10-28-2014, 06:45 PM
 
donmck donmck is offline
 

Senior Member
  
Join Date: Dec 2005
Location: Australia
Posts: 137
 

Default Re: POODLE vulnerability in SSLv3

Hi all,
I am an older member with an old cart, version 4.0.17

I use the Commonwealth Bank Australia, (via https://migs.mastercard.com.au) and Paypal as payment gateways, and recently had the APIs updated for the Paypal changes. I am hoping that this is all under control now as Paypal said they would swap over before 1-November 2014.

Re the Poodle problem:
Unfortunately there is no directory or file: modules/XPayments_Connector/xpc_func.php in my v4.0.17

I did a complete files text search on the string "SSLVERSION" and I only found 2 references of it in the file "core" (no extension file name) which is 5,255,176 bytes long.

My host provider Emerson has indicated that he can disable the SSLv3 protocol on my server whenever I request it.

I'll chase up my bank gateway, and see what is happening there, but I would appreciate any assistance or advice that members can give me,

Thanks in advance,

Cheers Don...
__________________
Don McKenzie

http://www.dontronics-shop.com/
X-Cart 4.0.17 [Unix]

█ Hosting by www.totalserversolutions.com The very best home for your X-Cart. (was ewdhosting.com)
Reply With Quote
  #42  
Old 10-28-2014, 09:41 PM
  moonslice's Avatar 
moonslice moonslice is offline
 

Senior Member
  
Join Date: May 2004
Posts: 123
 

Default Re: POODLE vulnerability in SSLv3

Thanks Steve!

1) regarding post #21, my 4.4.5 is a little different - saying
Quote:
if ($use_ssl3)
$execline .= ' --sslv3';
and
Quote:
if ($use_ssl3)
curl_setopt ($ch, CURLOPT_SSLVERSION, 3);
and
Quote:
if ($use_ssl3)
$args[] = '-ssl3';
instead of what that post showed.

Will it work to comment that those out?

2) And in func.https_ssleay.php it only shows ssl3 in
Quote:
function func_https_request_ssleay($method, $url, $data="", $join="&", $cookie="", $conttype="application/x-www-form-urlencoded", $referer="", $cert="", $kcert="", $headers="", $timeout = 0, $use_ssl3 = false)
and
Quote:
$execline .= " $ui[host] $ui[port] " . ($use_ssl3 ? '1' : '0') . ' ' . func_shellquote($cert) . ' ' . func_shellquote($kcert) . ' < ' . func_shellquote($tmpfile) . ' 2>' . func_shellquote($ignorefile);

Should I also comment those out even tho they aren't "if" statements?

Thanks!
__________________
Jim - X-cart Gold 4.4.5
Reply With Quote
  #43  
Old 10-28-2014, 09:51 PM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 13,616
 

Default Re: POODLE vulnerability in SSLv3

Different XC versions will have different code yes.

You can either comment out the ifs or you can also explicitly set the ssl3 variable to false right after the opening bracket of the function and it will not be used

function NAME (PARAMETERS)
{
// set ssl3 to false so it is not used
$use_ssl3 = false;
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote
  #44  
Old 10-28-2014, 09:57 PM
  moonslice's Avatar 
moonslice moonslice is offline
 

Senior Member
  
Join Date: May 2004
Posts: 123
 

Default Re: POODLE vulnerability in SSLv3

What about the 2 pieces of code that don't have 'if' (listed in my second item in post #42) that are in func.https_ssleay.php.

Should I also comment those out?

thanks!!!
__________________
Jim - X-cart Gold 4.4.5
Reply With Quote
  #45  
Old 10-28-2014, 10:43 PM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 13,616
 

Default Re: POODLE vulnerability in SSLv3

You don't have to comment out anything, just add

$use_ssl3 = false;

right after the opening function bracket
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote
  #46  
Old 10-28-2014, 11:27 PM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,106
 

Default Re: POODLE vulnerability in SSLv3

> What about using x-cart 4.4.5 without x-payments - just a direct use of
> AuthorizeNet AIM under payment gateways?

This is not PCI compliant.
__________________
Sincerely yours,
Alex Mulin
VP of business development for X-Cart
X-Payments project manager
Reply With Quote
  #47  
Old 10-29-2014, 05:18 AM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 13,616
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by ambal
> What about using x-cart 4.4.5 without x-payments - just a direct use of
> AuthorizeNet AIM under payment gateways?

This is not PCI compliant.

As is turns out thought PCI compliance means nothing
It simply doesn't work - biggest retailers in the world are hacked big time ....

With that said it doesn't mean you should not be compliant though
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote
  #48  
Old 10-29-2014, 05:21 AM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,106
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by cflsystems
As is turns out thought PCI compliance means nothing
It simply doesn't work - biggest retailers in the world are hacked big time ....

With that said it doesn't mean you should not be compliant though


Steve, according to our own experience (and you know we worked with thousands of merchants from entire world) it works like this:
if something happens - you are liable and that's it. You were not compliant. Your fault.
__________________
Sincerely yours,
Alex Mulin
VP of business development for X-Cart
X-Payments project manager
Reply With Quote
  #49  
Old 10-29-2014, 05:26 AM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 13,616
 

Default Re: POODLE vulnerability in SSLv3

Oh yes that's exactly how it works no doubt
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote
  #50  
Old 10-29-2014, 08:32 AM
 
YogaHub YogaHub is offline
 

Newbie
  
Join Date: May 2009
Posts: 5
 

Default Re: POODLE vulnerability in SSLv3

Alex, I've manually applied the fixt you suggested to Mark above to one of our stores running v4.4.3 and it worked successfully, however I have an older store that's running v4.1.9 which cannot be upgraded due to the number of hacks/mods and customizations we've applied. We're scheduled for a complete redesign in the next few months, however based on an email from Authorize.Net we just received, they are closing SSL v3 support as of November 4th.

The trouble is, I cannot even find a file called xpc_func.php, not in the XPayments_Connector folder or anywhere else on v4.1.9. What suggestions do you have? And what version of SSL does this older version of X-Cart use by default or currently support?

Thanks for your help,
Segovia
__________________
4 Stores running X-Cart Gold
v4.1.9 | v4.3.2 | v4.4.0
Reply With Quote
Reply
   X-Cart forums > X-Payments > X-Payments issues & questions


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 04:58 PM.

   

 
X-Cart forums © 2001-2018