Security bulletin 2008-12-18

JWait · #11 12-19-2008, 06:10 AM

Is this patch going to have any surprise effects like the last two have? I am referring to the problem with user names and cookies, although this patch could have some other undesired effect. Anyway, is there something that is not said that we should be aware of about how this will affect our store?

Jon · #12 12-19-2008, 07:38 AM

What I do is put the new files in one directory, download the same files in another directory, then use a program called "Beyond Compare" to apply the changes to my files. This patch was one of the easier ones.

Ene · #13 12-19-2008, 07:44 AM

Quote:

Is this patch going to have any surprise effects like the last two have? I am referring to the problem with user names and cookies, although this patch could have some other undesired effect. Anyway, is there something that is not said that we should be aware of about how this will affect our store?

This patch adds a more stricy check of the sent variables (POST,GET,COOKIES, etc).

It doesn't have any 'hidden' impacts.

elmirage001 · #14 12-19-2008, 09:43 AM

Hi All,

I applied the security patch yesterday using Jon's method above to view the file changes. None of the affected files had been modified so it was an easy overwrite for me.

No problems to report or any user difficulties. New customers and orders processing just fine.

Merry Christmas To All !

Paul

p.s. Santa say's to always listen to Jon

photo · #15 12-19-2008, 02:10 PM

Eugene,
I have checked over the new files against my existing files and the only line of code I am questioning is in xcart/include/register.php

Existing Code:

Code:

if ((strcmp($uname_tmp, $uname) !=0) || (eregi("[^a-z0-9_-.@]",$uname) && $newbie == "Y" && $anonymous != "Y"))

New Code:

Code:

if ((strcmp($uname_tmp, $uname) != 0) || (!preg_match("/^[a-z0-9_-]+$/s", $uname) && $uname != ""))

Could you please advise if it is ok to leave the existing code? If I replace that line of code I am concerned that existing customers will not be able to login using upper case letters or @ in their login name/password fields.

Thanks

Jon · #16 12-19-2008, 02:15 PM

Try:

Code:

if ((strcmp($uname_tmp, $uname) != 0) || (!preg_match("/^[a-zA-Z0-9_-]+$/s", $uname) && $uname != ""))

photo · #17 12-19-2008, 02:23 PM

Quote:

Originally Posted by Jon

Try:

Code:

if ((strcmp($uname_tmp, $uname) != 0) || (!preg_match("/^[a-zA-Z0-9_-]+$/s", $uname) && $uname != ""))

Thanks Jon
Will users be able to have an @ in there username or password with the code you posted?

Jon · #18 12-19-2008, 02:54 PM

That was for upper case. To allow @ also try:

Code:

if ((strcmp($uname_tmp, $uname) != 0) || (!preg_match("/^[a-zA-Z0-9_-@]+$/s", $uname) && $uname != ""))

photo · #19 12-19-2008, 02:57 PM

Quote:

Originally Posted by Jon

That was for upper case. To allow @ also try:

Code:

if ((strcmp($uname_tmp, $uname) != 0) || (!preg_match("/^[a-zA-Z0-9_-@]+$/s", $uname) && $uname != ""))

Thanks a lot Jon, I'll try that out.

photo · #20 12-19-2008, 03:23 PM

Quote:

Originally Posted by Jon

That was for upper case. To allow @ also try:

Code:

if ((strcmp($uname_tmp, $uname) != 0) || (!preg_match("/^[a-zA-Z0-9_-@]+$/s", $uname) && $uname != ""))

Jon, that did not work. When I tried to create an account with
Username: Test@
Password: Test@61

I received the error message that only a-z and 0-9 could be used. I put back,

Code:

if ((strcmp($uname_tmp, $uname) !=0) || (eregi("[^a-z0-9_-.@]",$uname) && $newbie == "Y" && $anonymous != "Y"))

and was able to register with the same username/password combo.
I have the rest of the patch installed and if I leave that original line of code in everything seems to be working fine. I wonder if it would be safe to leave like that?