| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
#11
|
|||||||||
|
|||||||||
Re: Security bulletin 2008-12-18
Is this patch going to have any surprise effects like the last two have? I am referring to the problem with user names and cookies, although this patch could have some other undesired effect. Anyway, is there something that is not said that we should be aware of about how this will affect our store?
__________________
Two Separate X-Cart Stores Version 4.4.4 Gold - X-AOM - Vivid Dreams Aquamarine (modified) - Linux Mods - Newest Products - View All -, and a few others. Numerous upgrades from 4.0.x series. Integrated with Stone Edge Order Manager + POS Version 4.1.12 Gold (fresh install) - X-AOM - Linux Mods - XCSEO free |
|||||||||
#12
|
|||||||||
|
|||||||||
Re: Security bulletin 2008-12-18
What I do is put the new files in one directory, download the same files in another directory, then use a program called "Beyond Compare" to apply the changes to my files. This patch was one of the easier ones.
|
|||||||||
#13
|
|||||||||
|
|||||||||
Re: Security bulletin 2008-12-18
Quote:
This patch adds a more stricy check of the sent variables (POST,GET,COOKIES, etc). It doesn't have any 'hidden' impacts.
__________________
Eugene Kaznacheev, Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009) ex-Head of X-Cart Tech Support Department ex- X-Cart Hosting Manager - X-Cart hosting ex-X-Cart Technical Support Engineer Note: For the official guaranteed tech support services please turn to the Customers HelpDesk. |
|||||||||
#14
|
|||||||
|
|||||||
Re: Security bulletin 2008-12-18
Hi All,
I applied the security patch yesterday using Jon's method above to view the file changes. None of the affected files had been modified so it was an easy overwrite for me. No problems to report or any user difficulties. New customers and orders processing just fine. Merry Christmas To All ! Paul p.s. Santa say's to always listen to Jon
__________________
X-Cart GoldPlus v4.7.12 | reBOOT (reDUX) Template v4.7.12.9 | Always The Best |
|||||||
#15
|
|||||||||
|
|||||||||
Re: Security bulletin 2008-12-18
Eugene,
I have checked over the new files against my existing files and the only line of code I am questioning is in xcart/include/register.php Existing Code: Code:
Code:
Could you please advise if it is ok to leave the existing code? If I replace that line of code I am concerned that existing customers will not be able to login using upper case letters or @ in their login name/password fields. Thanks |
|||||||||
#16
|
|||||||||
|
|||||||||
Re: Security bulletin 2008-12-18
Try:
Code:
|
|||||||||
#17
|
|||||||||
|
|||||||||
Re: Security bulletin 2008-12-18
Quote:
Thanks Jon Will users be able to have an @ in there username or password with the code you posted? |
|||||||||
#18
|
|||||||||
|
|||||||||
Re: Security bulletin 2008-12-18
That was for upper case. To allow @ also try:
Code:
|
|||||||||
#19
|
|||||||||
|
|||||||||
Re: Security bulletin 2008-12-18
Quote:
Thanks a lot Jon, I'll try that out. |
|||||||||
#20
|
|||||||||
|
|||||||||
Re: Security bulletin 2008-12-18
Quote:
Jon, that did not work. When I tried to create an account with Username: Test@ Password: Test@61 I received the error message that only a-z and 0-9 could be used. I put back, Code:
I have the rest of the patch installed and if I leave that original line of code in everything seems to be working fine. I wonder if it would be safe to leave like that? |
|||||||||
|
|||
X-Cart forums © 2001-2020
|