Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

security-patch-2007-06-20

 
Reply
   X-Cart forums > News and Announcements
 
Thread Tools
  #1  
Old 06-21-2007, 07:50 AM
 
carpeperdiem carpeperdiem is offline
 

X-Guru
  
Join Date: Jul 2006
Location: New York City, USA
Posts: 5,399
 

Default security-patch-2007-06-20

Thee is a new security patch, identified as "SEVERITY: Critical" for users of 4.1.7

It should be in your file area.

security-patch-2007-06-20

One comment:

In the install instructions, it states:
Quote:
2. If the version of your X-Cart is 4.1.7, replace the file <xcart_dir>/include/login.php with the file include/login.php from this patch.
If you have a modified login.php, you must not do this, and instead, do a compare and manually decide what code to upgrade.

CDSEO, "Remember Me" and other mods/hacks (including a redirect to a static page after logout) all have modified login.php, so don't forget to backup, and be careful out there.

Thank you to x-cart for the patch -- (for those of us using 4.1.7 that are not prepared to upgrade to 4.1.8 just yet)
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4
Reply With Quote
  #2  
Old 06-21-2007, 08:54 AM
  Jon's Avatar 
Jon Jon is offline
 

X-Guru
  
Join Date: Oct 2002
Location: Vancouver, Canada
Posts: 4,200
 

Default Re: security-patch-2007-06-20

Note that CDSEO by default does not modify login.php, only a custom hack in carpeperdium's site does
Reply With Quote
  #3  
Old 06-21-2007, 09:09 AM
 
carpeperdiem carpeperdiem is offline
 

X-Guru
  
Join Date: Jul 2006
Location: New York City, USA
Posts: 5,399
 

Default Re: security-patch-2007-06-20

Jon,

What custom hack is that? Should I open a ticket? Did the "old" cdseo not get removed when you made this version 2?

Thanks

Jeremy
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4
Reply With Quote
  #4  
Old 06-21-2007, 10:00 AM
  Jon's Avatar 
Jon Jon is offline
 

X-Guru
  
Join Date: Oct 2002
Location: Vancouver, Canada
Posts: 4,200
 

Default Re: security-patch-2007-06-20

It was an issue with your site only. I'll PM you so as not to take this thread off topic.
Reply With Quote
  #5  
Old 06-21-2007, 11:22 AM
 
oates oates is offline
 

Senior Member
  
Join Date: Apr 2006
Posts: 113
 

Default Re: security-patch-2007-06-20

so just to be sure, it is only 4.1.7 affected, not previous 4.1's.

thanks
__________________
X-CART 4.5.0
MySQL - 5.1.63
PHP 5.3.9
Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
Dedicated Cloud Server
Reply With Quote
  #6  
Old 06-21-2007, 03:35 PM
 
carpeperdiem carpeperdiem is offline
 

X-Guru
  
Join Date: Jul 2006
Location: New York City, USA
Posts: 5,399
 

Default Re: security-patch-2007-06-20

Quote:
Originally Posted by Jon
It was an issue with your site only. I'll PM you so as not to take this thread off topic.

Thank you, Jon, for your help here... turns out we were able to remove all cdseo code from my login.php file

For anyone keeping score, it looks like there were changes to login.php since February 2007 (not documented in the changelog), and this negated the cdseo code required to do the "confirmation page at logout hack".

I installed this new security-patch-2007-06-20, added the "remember me" code, added a minor "logout redirect" hack, and all's fine.

Anyone who's hacked their login.php may want to revisit this file, since it appears x-cart made some undocumented improvements that allowed me to remove a bunch of unnecessary code. Thank you, I guess.
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4
Reply With Quote
  #7  
Old 06-26-2007, 11:42 AM
  bigredseo's Avatar 
bigredseo bigredseo is offline
 

X-Man
  
Join Date: Oct 2002
Location: Omaha, NE, USA
Posts: 2,364
 

Default Re: security-patch-2007-06-20

Just bringing up the previous posting:

QUOTE:
so just to be sure, it is only 4.1.7 affected, not previous 4.1's.
END QUOTE

So, was this ONLY for 4.1.7 or all 4.1.x versions?
__________________
Conor Treacy - Big Red SEO - @bigredseo
Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding!
If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet.
Omaha SEO Office with National & Local SEO Services
Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance
Reply With Quote
  #8  
Old 06-26-2007, 12:15 PM
 
carpeperdiem carpeperdiem is offline
 

X-Guru
  
Join Date: Jul 2006
Location: New York City, USA
Posts: 5,399
 

Default Re: security-patch-2007-06-20

The way I read it, yes, for 4.1.7 only. Maybe x-cart can clarify?
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4
Reply With Quote
  #9  
Old 06-26-2007, 08:59 PM
  Ene's Avatar 
Ene Ene is offline
 

X-Cart team
  
Join Date: Aug 2004
Posts: 907
 

Default Re: security-patch-2007-06-20

Quote:
Originally Posted by carpeperdiem
The way I read it, yes, for 4.1.7 only. Maybe x-cart can clarify?

You're right.
This security patch is for 4.1.7 only.
__________________
Eugene Kaznacheev,
Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009)

ex-Head of X-Cart Tech Support Department
ex- X-Cart Hosting Manager - X-Cart hosting
ex-X-Cart Technical Support Engineer


Note: For the official guaranteed tech support services please turn to the Customers HelpDesk.
Reply With Quote
Reply
   X-Cart forums > News and Announcements


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 12:47 PM.

   

 
X-Cart forums © 2001-2020