| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
#1
|
|||||||||
|
|||||||||
Security bulletin 2008-12-18
Dear X-Cart customers,
During internal audit activities we found several moderate security issues that make X-Cart potentially vulnerable to attackers who wish to gain access to the application back-end. The following security improvements have been included into this update: - protection from unallowed access to back-end, using POST queries (formed in a special way) has been added. - an extra protection level against SQL injections has been added. SEVERITY: Moderate IMPACT A malicious user can gain access to the application back-end. AFFECTED VERSIONS All X-Cart versions from 4.1.0 to 4.1.11 SOLUTION We strongly recommend X-Cart users to install the security fix available in the HelpDesk 'File Area'. Installation instructions can be found in the README.txt file attached to the .tgz archive. You can find the patch by the following path: * For X-Cart 4.1.11 version: X-Cart -> X-Cart 4.1.11 (current version) -> Updates and patches * For X-Cart 4.1.0 - 4.1.10 versions: X-Cart -> X-Cart supporting files for prev versions -> X-Cart 4.1 -> {Your X-Cart version} -> Updates and patches If you are using X-Cart versions 4.1.0 - 4.1.10, before applying this security patch you *have to* apply all the previous security patches. You can find all the previous security patches in the "File area" section of the Support HelpDesk.
__________________
Eugene Kaznacheev, Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009) ex-Head of X-Cart Tech Support Department ex- X-Cart Hosting Manager - X-Cart hosting ex-X-Cart Technical Support Engineer Note: For the official guaranteed tech support services please turn to the Customers HelpDesk. |
|||||||||
#2
|
|||||||||
|
|||||||||
Re: Security bulletin 2008-12-18
I posted on the helpdesk, but figured I'd post it out here too.
What impact does this security breach play with the older versions of X-Cart (4.0.x)? A number of our customers have been asking about the security of those older platforms.
__________________
Conor Treacy - Big Red SEO - @bigredseo Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding! If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet. Omaha SEO Office with National & Local SEO Services Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance |
|||||||||
#3
|
|||||||||
|
|||||||||
Re: Security bulletin 2008-12-18
X-Cart Responded to my ticket to state that it ONLY affects the 4.1.x branch of the software and nothing changes with the 4.0.x branch. Good news for those that didn't upgrade!
I guess 4.2.x doesn't have this issue either
__________________
Conor Treacy - Big Red SEO - @bigredseo Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding! If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet. Omaha SEO Office with National & Local SEO Services Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance |
|||||||||
#4
|
|||||||
|
|||||||
Re: Security bulletin 2008-12-18
Hi,
I have received an email from Qualiteam suggesting I install a patch security-patch-2008-12-18_4.1.11.tgz I have saved the patch and now I'd like to install it... but how? When I clicked on the file I received a message as to which program do I wish to use to open a tgz file.... Could someone please steer me in the right direction as to what to do... I am using version 4.1.11 Many thanks and best regards Vicki
__________________
4.1.11 |
|||||||
#5
|
|||||||||
|
|||||||||
Re: Security bulletin 2008-12-18
Quote:
AFFECTED VERSIONS All X-Cart versions from 4.1.0 to 4.1.11
__________________
Sincerely yours, Alex Mulin VP of Business Development for X-Cart X-Payments product manager |
|||||||||
#6
|
|||||||
|
|||||||
Re: Security bulletin 2008-12-18
Hello again,
Sorry but I'm lost. How do I open the tgz file, please.? Do I have to load a program that reads tgz files? Any info would be very much appreciated. Thanks again, kind regards Vicki
__________________
4.1.11 |
|||||||
#7
|
|||||||||
|
|||||||||
Re: Security bulletin 2008-12-18
Quote:
We use WinRAR to decompress tgz files. There is a 40 day free trial available for download here |
|||||||||
#8
|
|||||||
|
|||||||
Re: Security bulletin 2008-12-18
Hi and many thanks for the information.
I'll download that WinRAR and see how I go. Appreciate your very kind help and Merry Christmas for next week. Kind regards Vicki
__________________
4.1.11 |
|||||||
#9
|
|||||||
|
|||||||
Re: Security bulletin 2008-12-18
Ene,
Could you please more clearify this vulnerability in detail ? I mean how serious it is ? & if my admin area is protected by htaccess password then still it can affected ? I am asking you bcoz I have not applied last security patch as I was facing this problem after the patch --> http://forum.x-cart.com/showthread.php?p=226043#post226043
__________________
X-Cart: 4.7.7 LIVE Skin:Ultra by xcartmods.co.uk X-cart Modules: | ACR, Rich Google Search, Customer Testimonials | Cloud Search, | Websitecm: CDSEO (2.1.9) --------------- Server: Linux php: 5.3 mysql: 5.0.89 ---------------- |
|||||||
#10
|
|||||||||
|
|||||||||
Re: Security bulletin 2008-12-18
Quote:
Very serious. Quote:
If your admin area is protected by htaccess password, it will solve 80%-90% of possible issues. However I strongly recommend to apply this patch anyway.
__________________
Eugene Kaznacheev, Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009) ex-Head of X-Cart Tech Support Department ex- X-Cart Hosting Manager - X-Cart hosting ex-X-Cart Technical Support Engineer Note: For the official guaranteed tech support services please turn to the Customers HelpDesk. |
|||||||||
|
|||
X-Cart forums © 2001-2020
|