Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

Security bulletin 4 Aug 2009

 
Reply
   X-Cart forums > News and Announcements
 
Thread Tools
  #1  
Old 08-04-2009, 06:00 AM
  Ene's Avatar 
Ene Ene is offline
 

X-Cart team
  
Join Date: Aug 2004
Posts: 907
 

Default Security bulletin 4 Aug 2009

During internal audit activities we found a moderate security issue that makes X-Cart potentially
vulnerable to attackers who wish to gain access to the application back-end.

The following security improvement has been included into this update:
- protection from XSS attacks.

SEVERITY:
Moderate

IMPACT
Malicious users may inject an active content (for instance: JavaScript) into the application to fool users in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user.

AFFECTED VERSIONS
All X-Cart versions

SOLUTION
We strongly recommend you to apply the security fix to secure your store.

To apply this patch, follow the instructions below:

1) Download the security patch (the security-patch-2009-08-04_***.tgz archive file, e.g. security-patch-2009-08-04_4.2.2.tgz) from the "File area" section of your HelpDesk account.

You can find the patch by the following path:
* For X-Cart 4.2.2 version:
X-Cart -> X-Cart 4.2.2 (current version) -> Updates and patches

* For all the other versions:
X-Cart -> X-Cart supporting files for prev versions -> {Your X-Cart branch} -> {Your X-Cart version} -> Updates and patches

2) Decompress the archive file.
The following folders will be extracted:
/DIFF-xcart - contains DIFF files to patch customized X-Cart files
/xcart - contains the X-Cart files with fixed vulnerability.

Note:
DIFF file is a file containing the difference between two files. In our case the DIFF file contains changes made to the current file by comparing it to a former version of the same file.

There are 2 ways to install the patch:
a) place the fixed files over the current ones;
b) manual installation using DIFF files.

3) Back up the corresponding files in your X-Cart before patching the store.

4) If the files from the xcart directory are not modified in your X-Cart, you may use the first method of applying the patch. This
way the files from the patch will overwrite the same files in your X-Cart.
You should copy the files from the patch into your X-Cart installation via FTP or another tool that you
usually use to manage files on your web-server. The copied files will replace the original ones that contain
the vulnerability, thus it will be fixed.

NOTE: The patch will overwrite the files completely, i.e. they will become default. If you made any
changes or customizations to the files, make sure you re-implement the changes after the patch has been
applied, or just install the patch manually.

5) If the files have been modified, it is recommended to apply the patch manually using DIFF files. This way you
will keep your modifications intact. To learn about this installation method, please follow an article from
the Helpdesk FAQs at
https://secure.qtmsoft.com/customer.php?area=info&target=view_faq_question&su bject=1073741899

ATTN: In case you are running X-Cart 3.3.x and earlier, please contact our tech support directly. They will provide you with a free patch for your particular version.

If you face any problems during or after the installation, feel free to contact our support team for help.

Please note: all the issues fixed by the current patch have already been corrected in the newest X-Cart 4.3.0 version.
__________________
Eugene Kaznacheev,
Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009)

ex-Head of X-Cart Tech Support Department
ex- X-Cart Hosting Manager - X-Cart hosting
ex-X-Cart Technical Support Engineer


Note: For the official guaranteed tech support services please turn to the Customers HelpDesk.
Reply With Quote
  #2  
Old 08-04-2009, 06:03 AM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,115
 

Default Re: Security bulletin 4 Aug 2009

Hi guys,

I closed News&Announcements for anonymous access for a while.
Un-registered visitors are not able to see this announcement.
__________________
Sincerely yours,
Alex Mulin
VP of Business Development for X-Cart
X-Payments product manager
Reply With Quote
  #3  
Old 08-04-2009, 06:21 AM
 
carpeperdiem carpeperdiem is offline
 

X-Guru
  
Join Date: Jul 2006
Location: New York City, USA
Posts: 5,399
 

Default Re: Security bulletin 4 Aug 2009

Eugene,

Since this patch only affects one file (at least for version 4.1.9):

/skin1/modules/Advanced_Statistics/advanced_stats.tpl

If Advanced Stats were disabled, was there ever a vulnerability?

I've had a few xcart users ask me this...

Thanks.

Jeremy
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4
Reply With Quote
  #4  
Old 08-04-2009, 06:55 AM
  Ene's Avatar 
Ene Ene is offline
 

X-Cart team
  
Join Date: Aug 2004
Posts: 907
 

Default Re: Security bulletin 4 Aug 2009

Quote:
Since this patch only affects one file (at least for version 4.1.9):

/skin1/modules/Advanced_Statistics/advanced_stats.tpl

The patch for all versions affects this file only.

Quote:
If Advanced Stats were disabled, was there ever a vulnerability?

No. If the Advanced Stats module is disabled and you don't use it, you are safe. However you may be in danger if you enable it later.
__________________
Eugene Kaznacheev,
Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009)

ex-Head of X-Cart Tech Support Department
ex- X-Cart Hosting Manager - X-Cart hosting
ex-X-Cart Technical Support Engineer


Note: For the official guaranteed tech support services please turn to the Customers HelpDesk.
Reply With Quote

The following 2 users thank Ene for this useful post:
am2003 (08-06-2009), carpeperdiem (08-04-2009)
  #5  
Old 08-04-2009, 07:18 AM
 
geckoday geckoday is offline
 

X-Wizard
  
Join Date: Aug 2005
Posts: 1,073
 

Default Re: Security bulletin 4 Aug 2009

I have spot checked a couple of versions and all are the same one file patch and all require advanced stats to be turned on to include the patched tpl so there is no vulnerability if advanced stats is turned off. OTOH, PCI-DSS requires applying vendor security patches within 30 days of release. This patch is so simple its not going to conflict with most any stores mods so just apply it and be done with it.
__________________
Manuka Bay Company
X-Cart Version 4.0.19 [Linux]

UGG Boots and other fine sheepskin products
http://www.snowriver.com
Reply With Quote
  #6  
Old 08-06-2009, 04:59 PM
 
MBA MBA is offline
 

eXpert
  
Join Date: Apr 2006
Posts: 245
 

Default Re: Security bulletin 4 Aug 2009

Can you guys email these out? Maybe have us opt-in for security updates or marketing updates or something? Thanks.
__________________
xCart Pro Version 4.0.17, 4.0.19, 4.1.8, 4.1.10, 4.1.11, 4.1.12 - retired
xCart Pro Version 4.3.1 - production
xCart Pro Version 4.5.1 - testing
RHEL Platform
Reply With Quote
  #7  
Old 08-06-2009, 05:17 PM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 14,026
 

Default Re: Security bulletin 4 Aug 2009

You can do that in your forum profile
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote
  #8  
Old 08-07-2009, 12:09 AM
  Ene's Avatar 
Ene Ene is offline
 

X-Cart team
  
Join Date: Aug 2004
Posts: 907
 

Default Re: Security bulletin 4 Aug 2009

Quote:
Can you guys email these out? Maybe have us opt-in for security updates or marketing updates or something? Thanks.

The email was sent to all our clients who subscribed for the 'Security alerts and advisory' newsletter.


(We sent it via Mailchimp. Thank you carpeperdiem, you were right and it is a great tool)
__________________
Eugene Kaznacheev,
Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009)

ex-Head of X-Cart Tech Support Department
ex- X-Cart Hosting Manager - X-Cart hosting
ex-X-Cart Technical Support Engineer


Note: For the official guaranteed tech support services please turn to the Customers HelpDesk.
Reply With Quote
  #9  
Old 08-25-2009, 10:49 AM
 
swifty1 swifty1 is offline
 

eXpert
  
Join Date: Aug 2008
Location: UK
Posts: 327
 

Default Re: Security bulletin 4 Aug 2009

Hi Ene

Quote:
The email was sent to all our clients who subscribed for the 'Security alerts and advisory' newsletter.

Where do i do this?



Thanks for the detailed description on how to apply the patch.
I have applied the patch to my site how do i check to make sure that all is well with my site?
__________________
4.1.11 gold
x-special offers
CDSEO Pro
Reply With Quote
  #10  
Old 08-26-2009, 12:59 AM
  Ene's Avatar 
Ene Ene is offline
 

X-Cart team
  
Join Date: Aug 2004
Posts: 907
 

Default Re: Security bulletin 4 Aug 2009

Quote:
Where do i do this?

Please enter your HelpDesk area and go to the 'Manage accounts -> Edit self profile' page.

Quote:
I have applied the patch to my site how do i check to make sure that all is well with my site?

Have you meant checking if the store is functioning correctly or if the security issue is solved?
__________________
Eugene Kaznacheev,
Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009)

ex-Head of X-Cart Tech Support Department
ex- X-Cart Hosting Manager - X-Cart hosting
ex-X-Cart Technical Support Engineer


Note: For the official guaranteed tech support services please turn to the Customers HelpDesk.
Reply With Quote
Reply
   X-Cart forums > News and Announcements


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 08:50 PM.

   

 
X-Cart forums © 2001-2020