Security bulletin 2008-12-18

JWait · #21 12-20-2008, 05:14 AM

Wow, its nice to see that this patch "doesn't have any 'hidden' impacts. </sarcasm>

crankez · #22 12-20-2008, 04:19 PM

I just follow the Jon method and i upgrade it without a problem, everything look like works well.

Cranko

crankez · #23 12-21-2008, 03:10 AM

Bah... after some testing i discover some huge errors...

First one now customer are unavailable to register, always say:

---
- ERROR
Please make sure you properly filled in all the required fields!
---

But all fields are filled.

Second ... when you login system redirect to a nonsecure http, this are unaceptable.

So, no chance to apply the security patch, i just put a ticket and waiting for advice.

So im still with my ass uncover...

Dam upgrades, to complicated and always lots of problems.

elmirage001 · #24 12-21-2008, 08:31 AM

Quote:

Originally Posted by crankez

Bah... after some testing i discover some huge errors...

First one now customer are unavailable to register, always say:

---
- ERROR
Please make sure you properly filled in all the required fields!
---

But all fields are filled.

Second ... when you login system redirect to a nonsecure http, this are unaceptable.

So, no chance to apply the security patch, i just put a ticket and waiting for advice.

So im still with my ass uncover...

Dam upgrades, to complicated and always lots of problems.

My new customers are registering without problems... I see that you are on 4.1.9
Did you apply the other security patches before applying this patch?

From post #1

Quote:

You can find the patch by the following path:
* For X-Cart 4.1.11 version:
X-Cart -> X-Cart 4.1.11 (current version) -> Updates and patches

* For X-Cart 4.1.0 - 4.1.10 versions:
X-Cart -> X-Cart supporting files for prev versions -> X-Cart 4.1 -> {Your X-Cart version} -> Updates and patches

If you are using X-Cart versions 4.1.0 - 4.1.10, before applying this security patch you *have to* apply all the previous security patches.
You can find all the previous security patches in the "File area" section of the Support HelpDesk.

balinor · #25 12-21-2008, 08:33 AM

And the previous patches cause all sorts of issues as mentioned in other threads - this just keeps getting compounded with each additional patch. Quite a nightmare.

Vacman · #26 12-21-2008, 09:25 AM

Applied the patch - all seems well, except that now I get an error at the top of the checkout screen (where customers enter their personal info):

Warning: Invalid argument supplied for foreach() in /home/vacsew/public_html/cart.php on line 509

Not sure where to start...

KathyHS · #27 12-21-2008, 11:30 AM

Just a note. I'm using 4.1.8 and am patched "up to date".

Yesterday and this morning we received a malicious attack. Hacker gained access via config.php and was able to use my server to send spam to 100,000's of people. He also uploaded files in the images folder, defaced the store front and removed the pricing file, replacing it with another file.

Needless to say, this is very disappointing, especially since the newest patch was applied on the 18th.

We have taken extraordinary measures to take care of the hole and remove the files but this should not have happened...

I have never been hacked before and find it odd that it happened within 24 hours or so after the patch.

balinor · #28 12-21-2008, 11:35 AM

Did the hacker get in via X-Cart or via FTP? Were your files and folders set to the correct permissions? Were your provider/ and admin/ directories password protected? Security patches only patch the software flaws, they don't secure the server and system for you - so you need to find out where the breach happened first.

KathyHS · #29 12-21-2008, 11:39 AM

Yes, through xcart. Not via FTP. Yes, permissions were all set properly on those files. Yes, admin directory is password protected.

I have [REMOVED by request of person mentioned in thread] managing all the patches on a regular basis. The breach happened from a hacker using a script he called through the config file.

[edit] - sorry. I just wanted you to see what we are dealing with....in spite of the patch. I do go out of my way to secure my server/software....its not something I take lightly.

According to my system admin (not [REMOVED by request of person mentioned in thread], but my managed service team for my servers who also manage the security)....

"The config file is vulnerable to remote file inclusion and XSS. This allows the attacker to basically do anything unprivileged (not as root)."

balinor · #30 12-21-2008, 11:41 AM

Well don't post it!

What was the permission set to on config.php?