| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
#21
|
|||||||||
|
|||||||||
Re: Security bulletin 2008-12-18
Wow, its nice to see that this patch "doesn't have any 'hidden' impacts. </sarcasm>
__________________
Two Separate X-Cart Stores Version 4.4.4 Gold - X-AOM - Vivid Dreams Aquamarine (modified) - Linux Mods - Newest Products - View All -, and a few others. Numerous upgrades from 4.0.x series. Integrated with Stone Edge Order Manager + POS Version 4.1.12 Gold (fresh install) - X-AOM - Linux Mods - XCSEO free |
|||||||||
#22
|
|||||||
|
|||||||
Re: Security bulletin 2008-12-18
I just follow the Jon method and i upgrade it without a problem, everything look like works well.
Cranko
__________________
4.1.11 X-Pro |
|||||||
#23
|
|||||||
|
|||||||
Re: Security bulletin 2008-12-18
Bah... after some testing i discover some huge errors...
First one now customer are unavailable to register, always say: --- - ERROR Please make sure you properly filled in all the required fields! --- But all fields are filled. Second ... when you login system redirect to a nonsecure http, this are unaceptable. So, no chance to apply the security patch, i just put a ticket and waiting for advice. So im still with my ass uncover... Dam upgrades, to complicated and always lots of problems.
__________________
4.1.11 X-Pro |
|||||||
#24
|
|||||||
|
|||||||
Re: Security bulletin 2008-12-18
Quote:
My new customers are registering without problems... I see that you are on 4.1.9 Did you apply the other security patches before applying this patch? From post #1 Quote:
__________________
X-Cart GoldPlus v4.7.12 | reBOOT (reDUX) Template v4.7.12.9 | Always The Best |
|||||||
#25
|
|||||||
|
|||||||
Re: Security bulletin 2008-12-18
And the previous patches cause all sorts of issues as mentioned in other threads - this just keeps getting compounded with each additional patch. Quite a nightmare.
__________________
Padraic Ryan Ryan Design Studio Professional E-Commerce Development |
|||||||
#26
|
|||||||||
|
|||||||||
Re: Security bulletin 2008-12-18
Applied the patch - all seems well, except that now I get an error at the top of the checkout screen (where customers enter their personal info):
Warning: Invalid argument supplied for foreach() in /home/vacsew/public_html/cart.php on line 509 Not sure where to start...
__________________
Carl Tice X-Cart 4.6.6 X-Payments 3.0 ReBOOT 3.4.1 PHP 5.6.30 MySQL 5.6.35 Linux 2.6.32-042stab120.18 ionCube PHP Loader v4.7.3 Perl 5.10.1 |
|||||||||
#27
|
|||||||
|
|||||||
Re: Security bulletin 2008-12-18
Just a note. I'm using 4.1.8 and am patched "up to date".
Yesterday and this morning we received a malicious attack. Hacker gained access via config.php and was able to use my server to send spam to 100,000's of people. He also uploaded files in the images folder, defaced the store front and removed the pricing file, replacing it with another file. Needless to say, this is very disappointing, especially since the newest patch was applied on the 18th. We have taken extraordinary measures to take care of the hole and remove the files but this should not have happened... I have never been hacked before and find it odd that it happened within 24 hours or so after the patch.
__________________
X-Cart 4.1.11 |
|||||||
#28
|
|||||||
|
|||||||
Re: Security bulletin 2008-12-18
Did the hacker get in via X-Cart or via FTP? Were your files and folders set to the correct permissions? Were your provider/ and admin/ directories password protected? Security patches only patch the software flaws, they don't secure the server and system for you - so you need to find out where the breach happened first.
__________________
Padraic Ryan Ryan Design Studio Professional E-Commerce Development |
|||||||
#29
|
|||||||
|
|||||||
Re: Security bulletin 2008-12-18
Yes, through xcart. Not via FTP. Yes, permissions were all set properly on those files. Yes, admin directory is password protected.
I have [REMOVED by request of person mentioned in thread] managing all the patches on a regular basis. The breach happened from a hacker using a script he called through the config file. [edit] - sorry. I just wanted you to see what we are dealing with....in spite of the patch. I do go out of my way to secure my server/software....its not something I take lightly. According to my system admin (not [REMOVED by request of person mentioned in thread], but my managed service team for my servers who also manage the security).... "The config file is vulnerable to remote file inclusion and XSS. This allows the attacker to basically do anything unprivileged (not as root)."
__________________
X-Cart 4.1.11 |
|||||||
#30
|
|||||||
|
|||||||
Re: Security bulletin 2008-12-18
Well don't post it! What was the permission set to on config.php?
__________________
Padraic Ryan Ryan Design Studio Professional E-Commerce Development |
|||||||
|
|||
X-Cart forums © 2001-2020
|