Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

POODLE vulnerability in SSLv3
 
Reply
   X-Cart forums > X-Payments > X-Payments issues & questions
 
Thread Tools
  #1  
Old 10-17-2014, 05:58 AM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,102
 

Exclamation POODLE vulnerability in SSLv3

Hi Everyone,

This part is for those who does use X-Payments:

----------------
As you may already know right after OpenSSL Heartblead vulnerability a new one has been found in SSL protocol - POODLE.

The POODLE vulnerability is a weakness in version 3 of the SSL protocol that allows an attacker in a man-in-the-middle context to decipher the plain text content of an SSLv3 encrypted message.

You can read more about POODLE at
https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-poodle-sslv3-vulnerability

Please note - this is NOT a vulnerability in X-Payments or X-Payments connector modules for X-Cart. This is a vulnerability in ciphering software used by almost any server in the Internet to establish secure connections.

What needs to be done:

1) X-Cart 4 users - apply xc4_xp_no_force_ssl3.diff patch to your X-Cart that will disable forced use of SSLv3 and enable automatic selection of TLS or SSL so if your hosting provider disabled SSLv3 support for your X-Payments installation your X-Cart will be able to connect with X-Payments using TLS.

Or you can download our new connectors for X-Cart 4 at
https://drive.google.com/a/x-cart.com/folderview?id=0B6p7sehSZL8_akhxR0VwQ0dta2M&usp=dri ve_web#list

They have been updated today to have the patch out of the box.

X-Cart 5 users - install the latest version of X-Payments connector available at the X-Cart 5 Marketplace.

2) make sure your server where you run X-Cart uses cURL v 7.18.1 or newer.
If you use X-Payments Enterprise/Downloadable license - check the same for your X-Payments server.

If your cURL is older - update it.
If you have no idea what is cURL - consult with your hosting admin.

And since I mentioned the OpenSSL Heartbleed - check your OpenSSL version - it should be at least 1.0.1g

--------------------

If you do not use X-Payments - go straight at http://forum.x-cart.com/showpost.php?p=379153&postcount=57
__________________
Sincerely yours,
Alex Mulin
VP of business development for X-Cart
X-Payments project manager

Last edited by ambal : 10-30-2014 at 05:29 AM.
Reply With Quote
  #2  
Old 10-17-2014, 06:04 AM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 13,484
 

Default Re: POODLE vulnerability in SSLv3

Where is the patch Alex?
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote
  #3  
Old 10-17-2014, 06:07 AM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,102
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by cflsystems
Where is the patch Alex?

In the original message, Steve.
__________________
Sincerely yours,
Alex Mulin
VP of business development for X-Cart
X-Payments project manager
Reply With Quote
  #4  
Old 10-17-2014, 06:08 AM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 13,484
 

Default Re: POODLE vulnerability in SSLv3

I guess you just changed the original message while I was typing It is different now

Thanks
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote
  #5  
Old 10-17-2014, 06:11 AM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,102
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by cflsystems
I guess you just changed the original message while I was typing It is different now

Thanks

Yep, I was typing this long message and forgot to attach the file, but I noticed that immediately after the post had been made and edited the message.
__________________
Sincerely yours,
Alex Mulin
VP of business development for X-Cart
X-Payments project manager
Reply With Quote
  #6  
Old 10-17-2014, 06:47 AM
  xcel's Avatar 
xcel xcel is offline
 

eXpert
  
Join Date: Nov 2008
Posts: 210
 

Default Re: POODLE vulnerability in SSLv3

Does this effect all XC users? If I'm not using X-Payments or X-Payments connector modules do I need to worry about this?
__________________
X-Cart Gold Plus 4.6.6

Altered Cart - Checkout One
Altered Cart - Checkout One Payments
Altered Cart - Cash Rewards
Altered Cart - On Sale

Smack Digital - CDSEO
Smack Digital - CDSEO Rich Snippets
Smack Digital - xCMS

The xCart Store - xBanners2

Star Plugins - Cloud Zoom

Heavily Customized by Starts Here Ltd. (UK)
Reply With Quote
  #7  
Old 10-17-2014, 06:47 AM
 
Mark N Mark N is offline
 

Senior Member
  
Join Date: Sep 2011
Posts: 121
 

Default Re: POODLE vulnerability in SSLv3

Can't seem to get this patch to apply - looks like the xpc_func.php I have is different - I haven't applied any customizations to this file but it doesn't appear to match what is in the diff - here is my version info of the file (running XC 4.6.3):

* @version 58ab7bdc89b3d4cd894ef7d853bcc6f0c4dcca6b, v101 (xcart_4_6_2), 2014-02-03 17:25:33, xpc_func.php, aim

I'm nervous about putting a new connector in place, have seen conflicting information about whether or not it supports X-Payments 1.0.6. Can you clarify Alex?

-Mark
__________________
X-Cart Gold Plus 4.6.5
Mods - WebsiteCM Dynamic Product Tabs, Smack Digital CDSEO Pro, AlteredCart Smart Search, AlteredCart One Page Checkout, Cart Works Power Filter, Firetank Software Feed Manager
Reply With Quote
  #8  
Old 10-17-2014, 06:57 AM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,102
 

Default Re: POODLE vulnerability in SSLv3

> Does this effect all XC users? If I'm not using X-Payments or X-Payments connector
> modules do I need to worry about this?

I would say the POODLE affects really everyone in the Internet. This is a bug in SSL v3 protocol. It is not X-Cart or X-Payments related only.
__________________
Sincerely yours,
Alex Mulin
VP of business development for X-Cart
X-Payments project manager
Reply With Quote
  #9  
Old 10-17-2014, 07:06 AM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,102
 

Default Re: POODLE vulnerability in SSLv3

Mark,

Quote:
Originally Posted by Mark N
Can't seem to get this patch to apply - looks like the xpc_func.php I have is different - I haven't applied any customizations to this file but it doesn't appear to match what is in the diff - here is my version info of the file (running XC 4.6.3):

* @version 58ab7bdc89b3d4cd894ef7d853bcc6f0c4dcca6b, v101 (xcart_4_6_2), 2014-02-03 17:25:33, xpc_func.php, aim


In order to make the change manually in file
modules/XPayments_Connector/xpc_func.php

find a line of code
curl_setopt($ch, CURLOPT_SSLVERSION, 3);

and remove it.

If you see near the above line of code this:
curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'DEFAULT');
remove this, too.

Quote:
Originally Posted by Mark N
I'm nervous about putting a new connector in place, have seen conflicting information about whether or not it supports X-Payments 1.0.6. Can you clarify Alex?

It does support v1.0.6 but only for credit card processing. Anyways, we always recommend to test new modules before letting them go live. E.g. on a test server.
__________________
Sincerely yours,
Alex Mulin
VP of business development for X-Cart
X-Payments project manager
Reply With Quote
  #10  
Old 10-17-2014, 07:19 AM
 
Mark N Mark N is offline
 

Senior Member
  
Join Date: Sep 2011
Posts: 121
 

Default Re: POODLE vulnerability in SSLv3

Thanks for the quick response - made the changes suggested and tested after disabling SSLv3, all looks good now. Will test out the new connector - when you say "It does support v1.0.6 but only for credit card processing.", what does it not support exactly?
__________________
X-Cart Gold Plus 4.6.5
Mods - WebsiteCM Dynamic Product Tabs, Smack Digital CDSEO Pro, AlteredCart Smart Search, AlteredCart One Page Checkout, Cart Works Power Filter, Firetank Software Feed Manager
Reply With Quote
Reply
   X-Cart forums > X-Payments > X-Payments issues & questions


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 03:38 AM.

   

 
X-Cart forums © 2001-2018