Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls
 

X-Cart 4.7.11 and Security Patches

 
Reply
   X-Cart forums > News and Announcements
 
Thread Tools
  #1  
Old 04-25-2019, 07:06 AM
 
mvs mvs is offline
 

X-Cart team
  
Join Date: Nov 2018
Posts: 118
 

Default X-Cart 4.7.11 and Security Patches

Hi fellow X-Carters,

We’ve just released X-Cart v4.7.11. We have also prepared some security patches for X-Cart v4.4.0 and higher. You might want to check out the blog post on both: https://www.x-cart.com/blog/x-cart-v4-7-11-and-security-patches.html
__________________
Max Slepuhov
X-Cart
Reply With Quote

The following 2 users thank mvs for this useful post:
elmirage001 (04-25-2019), PhilJ (04-25-2019)
  #2  
Old 04-25-2019, 07:21 AM
 
mvs mvs is offline
 

X-Cart team
  
Join Date: Nov 2018
Posts: 118
 

Default Re: X-Cart 4.7.11 and Security Patches

Changelog:

*BACKOFFICE*
[*] 22 Feb 2019, aim - Improvement (Y:148789): Main page :: Edit languages admin/languages.php did not work when there was a language cookie like en_US. Fixed.[*] 31 Jan 2019, aim - Improvement (Y:148757): Multiple addresses are not allowed to be used in fields like 'Site administrator email address' / 'Users department email address' / '"From" email address'.[*] 29 Jan 2019, aim - Improvement (Y:148769): Warning related to php.net/eol.php updated for PHP7.1.x.
[!] 30 Jan 2019, aim - Bug (Y:148746): The Admin area did not work behind Cloudflare. Fixed. The error was 'It seems your IP address has changed. For security reasons your user session has been terminated by the session protection mechanism (PROTECT_XID_BY_IP)'.....
[!] 29 Jan 2019, aim - Bug (Y:148767): PHP Fatal error related to the 'Delete all orders' feature: Uncaught Error: Call to undefined method XCCostChange::deleteOrder() in include/orders_deleteall.php:106. Fixed.

*USERS*
[*] 11 Feb 2019, aim - Improvement (Y:148779): Login history is now IPv6 compatible.

*PAYMENTS*
[*] 10 Apr 2019, aim - Improvement (Y:148766): Apple Pay/Visa Checkout is now available through the new Elavon Converge Hosted Payments Page payment gateway.[*] 19 Feb 2019, aim - Improvement (Y:148783): [Socialize] Removed Google+ as deprecated. [Google plus][*] 12 Feb 2019, aim - Improvement (Y:148770): AuthorizeNet - SIM: Changed HMAC-MD5 to HMAC-SHA512 for Unique Transaction Fingerprint using a Signature Key https://support.authorize.net/s/article/What-is-a-Signature-Key[*] 09 Feb 2019, aim - Imrovement (Y:1487770: [Ingenico ePayments e-Commerce] (former Ogone - Web Based) updated to support UTF8 (International names).
[!] 14 Mar 2019, aim - Bug (Y:148797 B:0050537): [PayPal Payments Advanced / Partner Hosted with PCI Compliance][Payflow API] Error 'Field format error: Request is too large to process' for large carts. Fixed.
[!] 29 Jan 2019, aim - Bug (Y:148759): AuthorizeNet eCheck: Authorize.Net is phasing out the MD5 based hash use for transaction response verification in favor of the SHA-512 based hash utilizing a Signature Key. Adjusted.
[!] 11 Feb 2019, aim - Bug (Y:14877: [PayPal]. Sometimes orders failed with the error 'Declined: Payment amount mismatch: wrong order currency'. Fixed.
[!] 11 Feb 2019, aim - Bug (Y:148771): [PayPal] Website Payments Pro Hosted in mobile. Orders were declined sometimes. Fixed. Thanks to Chemisk.
[!] 01 Feb 2019, aim - Bug (Y:148739): [PayPal Express]. "Error Invalid Data: This transaction cannot be processed. The amount to be charged is zero". Orders paid partially with a Gift certificate were not processed via PayPal sometimes. Fixed. Thanks to Mixon.
[!] 29 Oct 2018, aim - Bug (Y:148728, B:0050101): [Sage Pay Go - Form protocol] did not work under PHP7.2/PHP7.3 with OpenSSL. Payment amount mismatch: wrong order total error related to VISA cards. Fixed.

*SHIPPING*
[*] 26 Feb 2019, aim - Improvement (Y:148625 B:0043214): For defined methods, the total order weight is now taken into account when real-time shipping calculation is disabled (so that the shipping methods with weight limits will show only when total cart weight is within the limits).
[!] 14 Jan 019, aim - Bug (Y:148751): USPS Delivery to the United Kingdom/Swaziland/Guernsey/Isle of Man/Jersey/Tokelau was broken. Fixed.

*CHECKOUT*
[!] 19 Dec 2018, aim - Bug (Y:148740): [Amazon_Payments_Advanced] A wrong payment method was displayed in orders when the regular checkout flow was used. Fixed.

*MODULES/ADD-ONS*
*Advanced Customer Reviews*
[*] 16 Jan 2019, aim - Improvement (Y:148755): Advanced Customer Reviews and Customer Reviews are IPv6 compatible now.
*Amazon Feeds*
[*] 15 Mar 2019, aim - Improvement (Y:148799, Y:148793): [Amazon_Feeds] supports United Arab Emirates (U.A.E.) now. Changes for Canada and Mexico endpoints.
[*] 25 Jan 2019, aim - Improvement (Y:148737): [Amazon Feeds] Added the categories CellularPhoneCase/ScreenProtector, LightMotor/LightMotorVehicle, NetworkAdapter, Industrial/AdhesiveTapes. [Amazon_Feeds]
*Amazon Payments Advanced*
[*] 22 Mar 2019, aim - Improvement (Y:148800): [Amazon_Payments_Advanced] Amazon Pay Strong Customer Authentication (SCA). https://pay.amazon.com/uk/help/JE5KSJW4SFH2UM8#PSD2_SCA . [Second Payments Services Directive (PSD2)]
*Detailed Product Images*
[*] 26 Oct 2018, aim - Improvement (Y:148729): [Detailed Product Images] jQuery Colorbox widget updated from v1.3.15 to 1.6.4. Retina display support added.
*EU Cookie Law / GDPR-friendly*
[!] 11 Feb 2019, aim - Bug (Y:148780): [EU_Cookie_Law GDPR] REGEXP_REPLACE does not exist sql error. Fixed.
*Flyout Menus*
[!] 23 Jan 2019, aim - Bug (Y:148760): [Flyout Menus] Wrong product count was shown for a category when the setting 'Show products which are out of stock' was disabled. Fixed.
*Gift Certificates*
[!] 01 Feb 2019, aim - Bug (Y:148772): [Gift Certificates] There was no ability to unset certificates if the module 'Discount Coupons' was disabled. Fixed.
*Mailchimp*
[*] 07 Nov 2018, aim - Improvement (Y:148733): [Adv_Mailchimp_Subscription] A better text added on the 'Thank you for subscription' page. 'Please confirm subscription by clicking the "Yes, subscribe me to this list."....'
[!] 18 Dec 2018, aim - Bug (Y:148747, B:0050227): [Mailchimp] subscription was broken. "Timestamp_signup". "This value is not a valid datetime". Thanks to Joe Funderburg (Cherie).
*MultiCurrency*
[!] 18 Feb 2019, aim - Bug (Y:148782, B:0050472): [XMultiCurrency] Free API key is required now for http://free.currencyconverterapi.com/ service. Fixed. API version changed from v3 to v6.
*Product Notifications*
[!] 02 Apr 2019, aim - Bug (Y:148803, B:0050541): [Product Notifications] bug. Low stock notifications did not work. Fixed. [Product_Notifications]
*Survey*
[*] 16 Jan 2019, aim - Improvement (Y:148756): [Survey] module is IPv6 compatible now.
*TaxCloud*
[!] 08 Apr 2019, aim - Bug (Y:148805, B:0050579): [TaxCloud] Duplicate Lookup API calls. Fixed.
*X-PDF Invoices*
[*] 09 Apr 2019, aim - Improvement (Y:148806): [X-PDF] works on PHP7.3 now. mpdf has been updated from version 6.1.4 to 8.0.0. It requires, at the minimum, PHP version 5.6, and has been tested with PHP version up to 7.3. [XPDF]. Minor. [PHP 73 compatible][PHP 72 compatible][PHP 71 compatible].

*IMPORT/EXPORT*
[*] 18 Feb 2019, aim - Improvement (Y:148786): [Detailed Product Images] Images are now not duplicated during import.

*PERFORMANCE*
[*] 01 Apr 2019, aim - Improvement (Y:148802, B:0050565): Optimization for image.php.[*] 25 Feb 2019, aim - Improvement (Y:148792): Small storefront optimization.[*] 14 Feb 2019, aim - Improvement (Y:148784): [SEO] Google PageSpeed Insights improvement. Removed the 'combine,minify,optimize' option for the "Use speed-up tool for CSS" setting due to the changes in the 'Google PageSpeed Insights' algorithms.[*] 11 Feb 2019, aim - Improvement (Y:148776): The field xcart_products.rating is now not updated when an order is placed to avoid query cache invalidation. Thanks to Abr.[*] 04 Feb 2019, aim - Improvement (Y:148773): [Special_Offers] Huge optimization for the Special_Offers module.[*] 29 Jan 2019, aim - Improvement (Y:14876: Core optimization related to x_load and xcart_config - db_fetch_all.[*] 30 Oct 2018, aim - Improvement (Y:148730): Bot signatures updated. Added MJ12bot SEMrushBot and others. It helps to reduce the amount of MySQL queries. https://forum.x-cart.com/showpost.php?p=409355&postcount=25

*SECURITY*
[*] 25 Jan 2019, aim - Improvement (Y:148764): Possibility of SQL injection. Fixed.[*] 16 Nov 2019, aim - Improvement (Y:148736): Updated PHPMailer version from 5.2.26 to 5.2.27 . Fixed a potential security issue. (Stores with the setting 'Use SMTP server instead of internal PHP mailer' enabled are affected.)

*MISCELLANEOUS*
[*] 14 Mar 2019, aim - Improvement (Y:14879: Renamed Macedonia to North Macedonia.[*] 14 Dec 2018, aim - Improvement (Y:148069): jQuery updated to version 3.4.0. (The previous jQuery version was shown to be a potential risk for Cross-Site Scripting attacks according to the results of a Trustwave scan performed by one of our clients. The update remedies the situation.)
[!] 04 Mar 2019, aim - Bug (Y:148742): PHP7.3 minor bugfix related to PCRE2. PHP7.3 critical bugfix related to PCRE2. Compilation failed: invalid range in character class at offset. Product_Options. Add option group. [PHP 73 compatible]
[!] 21 Feb 2019, aim - Bug (Y:14878: All the HTTPS modules except libCURL sometimes did not work correctly with the HTTP/1.1 100 Continue header. Fixed.
[!] 18 Jan 2019, aim - Bug (Y:148753): 'Automatically convert CSS to inline styles in HTML emails' did not work in PHP7.3 PHP73. Warning: preg_match(): Compilation failed: invalid range in character class at offset 4 in include/lib/cssin/vendor/simple_html_dom/simple_html_dom.php on line 1364. Fixed.
__________________
Max Slepuhov
X-Cart
Reply With Quote

The following user thanks mvs for this useful post:
chamberinternet (04-26-2019)
  #3  
Old 04-25-2019, 09:48 AM
 
Eyeglasses Expert Eyeglasses Expert is offline
 

eXpert
  
Join Date: May 2010
Posts: 307
 

Default Re: X-Cart 4.7.11 and Security Patches

great, I will try this new version right away!
does this version supports php7.3?
Reply With Quote
  #4  
Old 04-25-2019, 07:53 PM
 
mvs mvs is offline
 

X-Cart team
  
Join Date: Nov 2018
Posts: 118
 

Default Re: X-Cart 4.7.11 and Security Patches

Quote:
Originally Posted by Eyeglasses Expert
great, I will try this new version right away!
does this version supports php7.3?
4.7.11 fully supports PHP 7.3
Please let me know what do you think about the release.
__________________
Max Slepuhov
X-Cart
Reply With Quote
  #5  
Old 04-26-2019, 03:07 AM
 
DanUK DanUK is offline
 

X-Adept
  
Join Date: Dec 2003
Location: UK
Posts: 800
 

Default Re: X-Cart 4.7.11 and Security Patches

I have an older 4.6.1. Patches work fine up until the jquery-min.js patch. It won't patch as it is different from what it is expecting but if I just replace it, I get some oddities on the front end of the shop but also this message pop up on the admin side:


Quote:
blcckUI requires jQuery v1.2.3 or later! You are using v1.10.2


It has replaced v1.7.1 where it works normally if I reinstate it.


I'm guessing this will ultimately require tech support installation but just wondering if this message points to anything I can fix?



Thanks


Dan
__________________
4.4.2

and

4.6.1
Reply With Quote
  #6  
Old 04-26-2019, 04:34 AM
 
aim aim is offline
Advanced Staff Users
 

X-Cart team
  
Join Date: Dec 2008
Posts: 928
 

Default Re: X-Cart 4.7.11 and Security Patches

Quote:
Originally Posted by DanUK
I have an older 4.6.1. Patches work fine up until the jquery-min.js patch. It won't patch as it is different from what it is expecting but if I just replace it, I get some oddities on the front end of the shop but also this message pop up on the admin side:





It has replaced v1.7.1 where it works normally if I reinstate it.


I'm guessing this will ultimately require tech support installation but just wondering if this message points to anything I can fix?



Thanks


Dan

Hello,

You can add the code
Code:
;jQuery.ajaxPrefilter( function( s ) { if ( s.crossDomain ) { s.contents.script = false; } } );

right at the end of the files
skin/common_files/lib/jquery-min.js
skin/common_files/lib/jquery-min.1x.js (if exists)

Thank you.
__________________
Sincerely yours,
Ildar Amankulov
Head of Maintenance group
Reply With Quote
  #7  
Old 04-26-2019, 05:48 AM
 
DanUK DanUK is offline
 

X-Adept
  
Join Date: Dec 2003
Location: UK
Posts: 800
 

Default Re: X-Cart 4.7.11 and Security Patches

Thanks Ildar, is that added to the existing file or the new one?



Dan
__________________
4.4.2

and

4.6.1
Reply With Quote
  #8  
Old 04-26-2019, 06:11 AM
 
cjstancil cjstancil is offline
 

Member
  
Join Date: May 2011
Posts: 26
 

Default Re: X-Cart 4.7.11 and Security Patches

I'm manually applying the patch security-jquery-sql_injection-2019-04-25_4.7.10. When I patched the jquery-min.js file (which basically replaced the entire contents of that file if I understand this correctly) I'm getting a red X box in my cPanel File Manager editor saying that there's a missing semicolon.

Attached is a screen capture. Am I doing something wrong? I literally just deleted the old contents and replaced it with the patch file contents starting with !function...
Attached Images
File Type: jpg Screenshot (1).jpg (170.4 KB, 11 views)
__________________
Chuck
Logic Rail Technologies
X-Cart 4.7.10
Reply With Quote
  #9  
Old 04-28-2019, 08:48 PM
 
aim aim is offline
Advanced Staff Users
 

X-Cart team
  
Join Date: Dec 2008
Posts: 928
 

Default Re: X-Cart 4.7.11 and Security Patches

Hello Dan and Chuck,

The code
Code:
;jQuery.ajaxPrefilter( function( s ) { if ( s.crossDomain ) { s.contents.script = false; } } );

has to be added to the existing jquery-min.js

1) Make a backup of your skin/common_files/lib/jquery-min.js file.
2) Open it in a text editor
3) Add the code above right at the end of the file.
4) Apply the security-jquery-sql_injection-2019-04-25 patch to other files.

Thank you.
__________________
Sincerely yours,
Ildar Amankulov
Head of Maintenance group
Reply With Quote
  #10  
Old 04-29-2019, 12:50 AM
 
DanUK DanUK is offline
 

X-Adept
  
Join Date: Dec 2003
Location: UK
Posts: 800
 

Default Re: X-Cart 4.7.11 and Security Patches

Thanks, I have appended the code and it seems to work. I wasn't sure if the double semi-colon scenario is a problem, file ends like this:





{return f})})(window);




and if I append the aforementioned code to it I get:


{return f})})(window);;jQuery.ajaxPrefilter( function( s ) { if ( s.crossDomain ) { s.contents.script = false; } } );

Is the underlined double semi-colon a problem i.e. should there be only one?
__________________
4.4.2

and

4.6.1
Reply With Quote
Reply
   X-Cart forums > News and Announcements



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 10:34 PM.

   

 
X-Cart forums © 2001-2020