POODLE vulnerability in SSLv3

donmck · #51 10-29-2014, 11:04 AM

Quote:

Originally Posted by YogaHub

The trouble is, I cannot even find a file called xpc_func.php, not in the XPayments_Connector folder or anywhere else on v4.1.9. What suggestions do you have? And what version of SSL does this older version of X-Cart use by default or currently support?

Thanks for your help,
Segovia

I have the same problem with a V4.0.17 XC.

See my post earlier (first on page 5).
http://forum.x-cart.com/showpost.php?p=379077&postcount=41

Cheers Don...

cherie · #52 10-29-2014, 11:22 AM

Quote:

Originally Posted by ambal

This is not PCI compliant.

Is that why there is no patch outside of X-Payments?

moonslice · #53 10-29-2014, 04:26 PM

If I upgrade my server to disallow sslv3 - cPanel has a solution where for SSL/TLS i say "All -SSLv2 -SSLv3"

1) Do I need to do anything at all with X-cart code since the server already disallows sslv3?

2) I also have many LiteCommerce ASPE 2.1 shopcarts. Will LiteCommerce carts still work if the server no longer allows sslv3?

ambal · #54 10-30-2014, 12:58 AM

> 2) I also have many LiteCommerce ASPE 2.1 shopcarts. Will LiteCommerce carts
> still work if the server no longer allows sslv3?

I advise you to contact our techs via your HelpDesk account.

random · #55 10-30-2014, 01:39 AM

Quote:

Originally Posted by YogaHub

Alex, I've manually applied the fixt you suggested to Mark above to one of our stores running v4.4.3 and it worked successfully, however I have an older store that's running v4.1.9 which cannot be upgraded due to the number of hacks/mods and customizations we've applied. We're scheduled for a complete redesign in the next few months, however based on an email from Authorize.Net we just received, they are closing SSL v3 support as of November 4th.

The trouble is, I cannot even find a file called xpc_func.php, not in the XPayments_Connector folder or anywhere else on v4.1.9. What suggestions do you have? And what version of SSL does this older version of X-Cart use by default or currently support?

Quote:

Originally Posted by donmck

I have the same problem with a V4.0.17 XC.

See my post earlier (first on page 5).
http://forum.x-cart.com/showpost.php?p=379077&postcount=41

Cheers Don...

File "modules/XPayments_Connector/xpc_func.php" is only available if you're using X-Payments to receive payments.
In all other cases this patch is not applicable for you.

By default, X-Cart versions use default SSL version, which should be actually TLS after the SSLv3 is disabled on your server (SSLv2 should be disabled already 5-7 years ago if you're using up-to-date libCURL).
Since X-Cart 4.2.2 there is also an ability used by some built-in gateways to force SSLv3 in it's code (include/func/func.https_*.php files), which is should be removed or replaced with code, that enables TLS.

ambal · #56 10-30-2014, 02:16 AM

Yeah, folks, if you are not using X-Payments you do not need to apply X-Payments connector patches. This thread was originally created about fixing the POODLE in case you do use X-Payments and your server disabled SSLv3. As you can see it is posted in "X-Payments" part of the forum.

Ksenia · #57 10-30-2014, 05:11 AM

This information is relevant for you if you're using X-Cart of one of the versions affected:

Affected versions: 4.2.2 - 4.6.4 of all editions (Gold, GoldPlus, Platinum, Pro)
NOT affected: 4.2.1 and earlier ; 4.6.5 (the latest currently) ; all versions of X-Cart 5.x

Applying these patches is a must of you use:
*PayPal Advanced;
*UPS;
*AuthorizeNet - AIM (in older X-Cart versions through 4.4.5).
Two of the aforementioned services have already informed about the intention to disable the support of SSLv3 because of POODLE vulnerability (read more about it in the very end of this email). The timeframes differ, but once it happens, the current integation will stop working. It means that to continue using their services you must patch your store, the sooner - the better.

I don't use the above, do I need the patch?[/color]
Applying these patches is strongly recommended in any case, even if your store is not using the services listed above, because it may be using some other services that may also require the changes implemented by the patches.

What the patch does:
These patches provide updates for your HTTPS modules and help to avoid possible problems with https requests sent by your store to various services. The integrations with these services (inlcuding UPS, PayPal Advanced, Authorize.Net-CIM, but probably not limited to this list) may stop working in the nearest future when these services remove the support for the oudated and vulnerable SSLv3 protocol.

!!! If you host with X-Cart and your plan includes free support, or if you have X-Cart support subscription, please submit a ticket to have your store patched FOR FREE.

To apply the patch, follow the instructions below:

It is HIGHLY RECOMMENDED to back up your database and files before patching the store.

1) Download the patch (the remove_ssl3-2014-10-30{version}.tgz archive file) from the "File area" section of your Qualiteam account.

You can find the patch at
X-Cart -> X-Cart supporting files for prev versions -> {Your X-Cart branch} -> {Your X-Cart version} -> Updates and patches

2) Decompress the archive file.
The following files/folders will be extracted:
/DIFF-xcart - contains DIFF files for patching customized X-Cart files
/README - this README file
/xcart - contains already patched X-Cart files
DIFF-xcart.diff - contains all the DIFF files from the DIFF-xcart folder combined into one file
patch.sql - contains SQL changes

Note:
A DIFF file is a file that contains the differences between two files. In our case, DIFF file contains changes made to the current file compared to the former version of the same file.

3)Make sure the database backup is created, and apply patch.sql to your database.

4) Install the patch, there are 2 ways to do it:

4.a) replace the affected files in your software copy with the patched files;

If the files from the xcart directory are not modified in your X-Cart, you may use the first method of applying the patch. This
way, the files from the patch will overwrite the same files in your X-Cart.
You should copy the files from the patch to your X-Cart installation using FTP or other tool that you use for managing files on your web server. The copied files will replace the original ones that contain errors, thus the errors will be fixed.

NOTE: The patch will overwrite the files completely, i.e. the target files will have the default settings. If now you are using a
modified/customized version of the files, make sure to re-implement the changes after applying the patch, or just install the patch manually.

4.b) apply the patch manually using DIFF files.

If the files were modified, it is recommended to apply the patch manually using the DIFF files. Thus, you will keep your modifications intact. To learn about this installation method, please read the article in the X-Cart Knowledge Base.

NOTE:
* Use either the DIFF-xcart.diff patch or the DIFF files from the DIFF-xcart folder. Do not apply both.

5) Make sure your payment and shipping integrations work correctly.
If you encounter any problems during or after installation, feel free to contact our support team for help.

---------------------------------------------------------------------------------------
PS: A cute poodle here: http://www.youtube.com/watch?v=Gw85SGlIo8Y

DanUK · #58 10-30-2014, 05:27 AM

Thanks Ksenia, if SSLV3 has been disabled by my hosts should I still patch? I'm getting:

This server is not vulnerable to the POODLE attack because it doesn't support SSL 3.

This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.

when I run the ssltest.

Thanks

Dan

Ksenia · #59 10-30-2014, 05:33 AM

Quote:

Originally Posted by DanUK

Thanks Ksenia, if SSLV3 has been disabled by my hosts should I still patch?

Hi Dan,

Most probably you should.

It's good your host switched to TLS, but the patches we provided are about 3rd party services your store integrates with, about disabling SSLv3 on their side (making X-Cart compatible with it, to be exact). PayPal Advanced and Autorize.NET CIM are in the confirmed list, even more companies are about to switch, too.

drudden · #60 10-30-2014, 05:34 AM

Quote:

Originally Posted by Ksenia

1) Download the patch (the remove_ssl3-2014-10-30{version}.tgz archive file) from the "File area" section of your Qualiteam account.

You can find the patch at
X-Cart -> X-Cart supporting files for prev versions -> {Your X-Cart branch} -> {Your X-Cart version} -> Updates and patches

I do not have the patch files listed in my file area for 4.3.1. When will they become available?