X-Cart forums

[aim]

Quote:

Originally Posted by aim

Try to change a one symbol for the lastname on the page like
http://demo.x-cart.com/demo/admin/register.php?mode=update

and click the 'Update' button.

The full solution is


1 Disable the CHECK_CUSTOMERS_INTEGRITY in the config.php file

2 Change a one symbol for the lastname on the page like
http://demo.x-cart.com/demo/admin/register.php?mode=update

and click the 'Update' button.

3 Enable the CHECK_CUSTOMERS_INTEGRITY in the config.php file

[Danimal]

Quote:

Originally Posted by aim

How many customers do you have ?

None. It is a new store. Installed 4.5.4 just days before 4.5.5 came out. So I upgraded before it gets customers.

[aim]

Quote:

Originally Posted by Danimal

Aim, I suppose I never totally grasped the Blowfish Key. Can you first tell me what its duty is. Then what's the reason for regeneration after the upgrade?

I went from a fresh install of 4.5.4 to 4.5.5 so I have not yet done the regeneration. Still getting used to the layout of the 4.5 branch.

The Blowfish key is main security feature to crypt your customer's password and order details in DB

http://help.x-cart.com/index.php?title=X-Cart:Blowfish
http://help.x-cart.com/index.php?title=X-Cart:FAQs#Should_I_re-generate_the_blowfish_encryption_key

1 4.5.5 upgrade packs add new security keys in addition to the $blowfish_key
2 There are some improvements related to the blowfish and new security keys

So to use these security improvements you have to regenerate the blowfish key and security keys using this tool
http://help.x-cart.com/index.php?title=X-Cart:Advanced_Tools#Re-generate_the_Blowfish_Encryption_Key

[Jamesp57]

Can someone tell me many times a year do these security updates or version upgrades come out?

[carpeperdiem]

Quote:

Originally Posted by Jamesp57

Can someone tell me many times a year do these security updates or version upgrades come out?

Security patches: rarely
Updates: historically, 2-4 times a year. Sometimes more. Sometimes less.

THE RANT:
<sounding like a broken record>
patches for bugs should not be bundled with new or improved features.

The current security patch is really not a critical patch, but rather, new features/improvements that the xcart designers decided would be good. Calling it a security patch is a bit misleading and not an accurate representation of what a true security patch should be.

The security of xcart 4.5.4 is just fine, if the store admin takes some basic security steps (lock down the admin at htaccess, constrain admin to specific IP addresses, use complex passwords, etc...) -- what the designers chose to ADD to 4.5.5 basically hardens xcart a bit (which is fine), but it SHOULD NOT have been bundled with the bug fixes that we've been waiting since October 2012 for!!!!

Many of us in the forum have said this about 27 million times (approximately).

This upgrade cycle tried to accomplish many things, all at once -- so it's not as simple as most bug-fix patches.

WHAT THEY SHOULD HAVE DONE:

1. bug fix release
2. new version of x-payments and XPC
3. security enhancement release -- this should have been released on its own timeline, separate from the required bug fixes.

Each of these could work without the other.
BUT by making "x-cart 4.5.5" now all-inclusive, if we want the bug fixes, we get everything that comes with.

[ADDISON]

About Gold Plus version. Let's say there are bugs related to X-MultiCurrency module. One who bought this module for a Gold version, will get the updates in his Helpdesk area. One who bought this module as part of Gold Plus will have to wait for a new XC Gold+ release. Am I right?

If I am right, those with Gold+ are affected. QT should find a solution for this major issue, seeing that upgrades are nightmares in this 4 version of XC.

[cflsystems]

Quote:

Originally Posted by carpeperdiem

<sounding like a broken record>
patches for bugs should not be bundled with new or improved features.

+1

1. Release one XC version per year - that way you have time to really develop wanted/needed new features and test them, and test them again; release beta to selected testers so they can tell you what needs improvement or fix; when released this upgrade should include all bug fixes and security patches to date
2. Release bug fixes every 2-3 months - this has to be as separate installs independent from XC upgrade release. Why do I have to upgrade to new XC version just to fix bugs? Bug fixes should NOT include any improvements or new features.
3. Release security patches immediately when needed.
4. Tie CHANGELOG and bugtracker - make them one and only; when I look at the bug # in the CHANGELOG that same number in the bugtracker should bring the bug description and how to fix.
5. ...more to come from others....

[jillsybte]

Quote:

Originally Posted by aim

The Blowfish key is main security feature to crypt your customer's password and order details in DB

http://help.x-cart.com/index.php?title=X-Cart:Blowfish
http://help.x-cart.com/index.php?title=X-Cart:FAQs#Should_I_re-generate_the_blowfish_encryption_key

1 4.5.5 upgrade packs add new security keys in addition to the $blowfish_key
2 There are some improvements related to the blowfish and new security keys

So to use these security improvements you have to regenerate the blowfish key and security keys using this tool
http://help.x-cart.com/index.php?title=X-Cart:Advanced_Tools#Re-generate_the_Blowfish_Encryption_Key

I am trying yet again to upgrade my 4.1.8 store--this time to 4.5.5. I never try to patch/upgrade. I am doing a clean install of 4.5.5.

I have many orders and registered customers and want to transfer the data to my new store. I know the blowfish keys for each installation must match in order for the data to transfer properly. In the past, I have just copied the blowfish key of my live store to the config.php file of the new installation (BEFORE transferring any data). After that, I copy my admin profile from the old store's DB to the new DB and everything seems fine--I'm able to log in to my new store.

However, 4.5.5 adds some new keys to the config.php file and you state here that further changes/enhancements have been made to the blowfish key. This has me worried about manually changing the blowfish key in my 4.5.5 config.php file. However, if I don't change it, how can I transfer my customer/order data?

[carpeperdiem]

4.5.5 upgrade is a colossal fail

http://forum.x-cart.com/showthread.php?t=66211

We need JUST the bug fixes.
FUCK the so-called security enhancements.
WHOEVER approved this needs to pull their head out of the sand (I was going to be much more graphic) and get a grasp on what your customers want.

We want bug fixes.
We don't want xcart to be the one-stop do-everything application.

It's perfectly fine if X-cart tells the admin: "it is your responsibility to restrict the admin by IP, and to lock down and harden your server".

I don't need you to destroy a perfectly fine cart attempting to solve the world's security problems.

I expect that you will recall the 4.5.5 upgrade, since it is anything but stable for production (or upgrades).

[Danimal]

Another failure.

How am I supposed to edit the description? We are using the InnovaEditor and I clicked the upper left hand button in the editor bar to blow it up. Not cool!

Eta: I will fix it on my own. But still not cool.


.