security bulletin - 3.3.0 up to 4.0.11

rrf · #11 01-27-2005, 02:10 AM

Quote:

Originally Posted by DanUK

Thanks Ruslan,

IMO, those examples don't sound too difficult for a hacker to do (correct me if I'm wrong). Hypethetically speaking, if someone wanted to target my store to steal the admin password, they could send an effective looking spam email to a few thousand email addresses to get people to visit the store e.g. with an attractive offer.

The fact that my server newgroup mentioned this issue this morning says that the word on this vulnerability is spreading, so the more chance there is for an exploit. Like funkydunk, I'm also hoping there will be a fix for the 3.5.x file.

Thanks

Dan

Yes, but:

1) In order to send mass mail to your customers one needs to know e-mail addresses of your customers.
2) If your customers click just any link they receive, there is no need to create this complex hacking schemes. Hacker could just add a link to some site that exploits Internet Explorer vulnerabilities (or inject this code in HTML e-mail) and thus simply install a trojan horse that would able to steal any info from customer, not just passwords for the store. And this will work with any web store.

svowl · #12 01-27-2005, 03:19 AM

Quote:

Originally Posted by DanUK

I've tried to use the 3.5.x version of prepare.php on my 3.5.4 installation and all I get is "page cannot be displayed" after a few seconds. Hopefully this won't be a security update I have to pay to have done

. Anyone else have problems?

May I suppose you didn't follow to the recommendation to upgrade to 3.5.6 we advised in the 'Security system upgrade for X-Cart' message (Help Desk, Apr 15 2004)?
The script prepare.php that is included into this update pack considers the improvements of the security system we made for 3.5.x branch.
We can provide you with a separate prepare.php script that will suite for 3.5.4, however it will fix this CSS vulnerability but not the other more serious security issues in your store. I highly recommend you to upgrade.

funkydunk · #13 01-27-2005, 03:22 AM

but according to the patch - the prepare.php would be suitable for all 3.5.x versions.

ETInteractive.com · #14 01-27-2005, 04:56 AM

**except 3.5.6 **

gotta read the fine print.

svowl · #15 01-27-2005, 05:46 AM

File <xcart_security_fix_3.3.0-4.0.11_20050127.tgz> is updated in the File area, please redownload it.

DanUK · #16 01-27-2005, 06:01 AM

Hmmm, am I missing something? Upgrade to 3.5.6? I didn't know I had to do that!

What's the security vulnerability in 3.5.4 then, I assume it's different from the release #20041221 security bulletin -the only one I've ever had.

Thanks

Dan

DanUK · #17 01-27-2005, 06:17 AM

Oh, I remember this...I did ask!

Quote:

Dear Dan,

> This 3.5.6 security upgrade is concerning me. We just paid you to upgrade out
> last version to 3.5.4 and incorporate the changes we have made so far. How
> different is 3.5.4 security to 3.5.6? I daren't try and patch it myself because
> of the changes we've had you do and I don't want to break it this late in the
> production stage. Please could you let me know if you think it is crucial to
> upgrade based on my current version.

All X-Cart versions 3.4.12-3.4.14 and 3.5.0-3.5.8 are secure enough.

As our message states, this is not an emergency security hotfix. We just announced that the latest versions ( 3.4.14 and 3.5.6-3.5.8 ) include some recommendations on security given by our experts.

funkydunk · #18 01-27-2005, 06:24 AM

so the revision to the patch is what? to account for non 3.5.6 + users? or to repair the redirection error issue?

sstillwell@aerostich.com · #19 01-27-2005, 06:30 AM

In the alert the condition is specified as "Using IE"

So is this an IE flaw that we are patching xcart for or per se does it also affect someone using Firefox?

john80y · #20 01-27-2005, 06:35 AM

I applied the patch on 3.5.11 with no side effects.