Security Vulnerability In Cs-Cart 4.x.x

I don't see any patches when I log in. Is this for all versions? We're using multi vendor

Path is in the "Update" folder of your filearea. If you can not find it, please PM me the email address you use to log in to Help desk.

For Multi-Vendor there should be take some extra actions besides the uploading auth.pre.php you should modify the app/functions/fn.users.php file, find this line:

$u_type = !empty($user_data['user_type']) ? $user_data['user_type'] : $current_user_data['user_type'];

And add after it the following code:

$auth_user_type = isset($_SESSION['auth']['user_type']) ? $_SESSION['auth']['user_type'] : null;
if ($u_type == ‘A’ && $auth_user_type != ‘A’) {

return $current_u_type;

}

sent you am PM

Also is there a more indepth discussion of the nature of the vuln somewhere?

Also is there a more indepth discussion of the nature of the vuln somewhere?

No, we won't discuss this at least next several days.

Tech details of the vulnerability can compromise stores which were not patched yet.

Can you answer this..

If access to the admin.php file is restricted by IP would that have helped mitigate the issue?

Hi imac

One question cause this is not clear to me from Paul s post.

Is it MV only or CS-Cart too?

Thanks

Fotis

my coworker and we worked out the help issue. Hopefully we can have two emails for an account

No, we won't discuss this at least next several days.

Tech details of the vulnerability can compromise stores which were not patched yet.

I think if you look at the auth.pre.php patch it will be obvious. Definitely a scary one that needs to be patched ASAP as it looks easy to exploit.

Can you answer this..

If access to the admin.php file is restricted by IP would that have helped mitigate the issue?

If you trust anyone accessing your site from the IPs its restricted to.

Hi imac

One question cause this is not clear to me from Paul s post.

Is it MV only or CS-Cart too?

Thanks

Fotis

Hi Fotis,

Both, Multi-Vendor and CS-Cart 4.x.x

I added extra step for applying patch in MVE (steps 3-5), see the this post: http://forum.cs-cart.com/topic/45455-security-vulnerability-in-cs-cart-401-438/#entry254891

So in CS-Cart you should only add auth.pre.php files.

In Multi-Vendor you should add auth.pre.php and also edit fn.users.php file.

I think if you look at the auth.pre.php patch it will be obvious. Definitely a scary one that needs to be patched ASAP as it looks easy to exploit.

If you trust anyone accessing your site from the IPs its restricted to.

I agree, that this is not a tricky hack.

But we provide this patch only to owners of CS-Cart and Multi-Vendor licenses.

Just got it too. This confirms what I thought.

I've been planning on moving the admin backend to a different server thats more restricted for a while now to prevent this sort of thing.

We want to inform all our Hosted customers that we have applied patch to all 4.x CS-Cart stores , so no need to worry on that anymore.

We only suggest to control all admin accounts for foreign emails just in case.

Happy Selling

Regards

Fotis

I didn’t get an email. Is there a mailing list? Lucky I had the forum subscribed

Can you please give precise instructions for moving admin.php

Can you please give precise instructions for moving admin.php

Please take a look

http://docs.cs-cart.com/4.3.x/install/security.html

So I am doing some log analysis to see if we were compromised.

From how I read the code all the account creation data would go through a POST though right? And it would of returned a valid HTTP response I think? its hard to test in my dev environment right now.

So I don't think theres an real way to see if the a hack was attempted via logs. You can't rely on the admin accounts because someone who knew what they were doing would of deleted the account after they created it.

The best approach seems to just gather all the IP's people tried to access our admin file from and check them against known goods. If you changed the name and required https this should be reliable.

Any other suggestions?

We need to know how long ago this was first known to be used too so we know how far back to check.

I can't seem to upload the patch file. All the permissions for folders in the app directory are 755, the files in the folders are 644.

When I try to upload through my FTP (FlashFXP 5) I get permission denied. I tried through the File Manager in cPanel and I also get permission denied.

What can I do???

My guess would be that you have more of an 'ownership' issue versus a 'permission' issue. Your files/directories should be owned by the cpanel user and you should FTP into your site as the cpanel user (or other ftp user setup via cpanel).

But as I said the same problem exists when I log in to cPanel and try there. Incidentally, I am using the same log in with my ftp client as I use to log in to cpanel.

My server is a dedicated server and I have several web sites on it each one being an account with their own specific log in and password. I have no problems with any other software only cs-cart...no problems with other shopping cart software, forum software etc...

Can you create any other filenames in that directory using your filemanager (or ftp)? If your ownerships/permissions are correct there is no reason why you shouldn't be able to create that file with your file manager or ftp.

Since you are a dedicated server, there's a good chance that ownerships have gone awry. The most common occurrence I see is that 'root' ends up owning files or directories that should be owned by the cpanel user.