Security Vulnerability In Cs-Cart 4.x.x

If you run CS-Cart 4.0.1 and newer, you could be affected. Hackers can gain access to your administration panel, if they know your admin script URL. If you didn’t rename your admin.php file after the installation, do it now.

I would feel a lot safer if my renamed admin wasn't STILL being sent to CS-Cart as part of license authentication.

By the way, I have uploaded the auth.pre.php

F#$K !!

The email advising me may have been a hoax.

It was installed for about 1 minute before I removed it again.

lol
Just realised that I had to download the fix from the real help desk.
Installed again but not sure of permissions.
Should they be 666 just like 'auth.php' is ???

Why this info is sent only by email and not in blog or here in forum ?

"renamed admin wasn't STILL being sent to CS-Cart as part of license authentication."

I thought they no longer did that after a certain version

Why this info is sent only by email and not in blog or here in forum ?

And why is it not in my upgrade area? They should do what it takes to rush it out rent extra servers or whatever they need to do - simply make it happen - no excuses.

I would feel a lot safer if my renamed admin wasn't STILL being sent to CS-Cart as part of license authentication.

If you use one of the latest version (4.3.4 or later) it is not send. Here is the code.

'admin_uri' => str_replace(fn_get_index_script('A'), '',fn_url('', 'A', 'http')),

So don't worry about this.

And since 2014 we do not store any admin script names in Helpdesk, with no exceptions.

And why is it not in my upgrade area? They should do what it takes to rush it out rent extra servers or whatever they need to do - simply make it happen - no excuses.

From Upgrade area you can get only upgrade to 4.3.9 - it will be there within next 30 minutes.

The easiest way is to apply patch - just upload auth.pre.php to app/controllers/common folder

From Upgrade area you can get only upgrade to 4.3.9 - it will be there within next 30 minutes.

The easiest way is to apply patch - just upload auth.pre.php to app/controllers/common folder

Yes, I looked for 4.3.9 it was not there and is getting late now (for me)... I will look again in 30 minutes.

Yes, I looked for 4.3.9 it was not there and is getting late now (for me)... I will look again in 30 minutes.

Traveler,

We've just enabled it.

Are the permissions for the patch 666 ?

I panicked when I didn't see https://www.cs-cart.com/helpdesk

in the links, just some weird address starting http://sable.madmimi...

Why this info is sent only by email and not in blog or here in forum ?

I'm working on post for the forum right now. Email notification was the number one priority.

Are the permissions for the patch 666 ?

Permissions should be the same as for other PHP files in the same directory.

In secure server configuration it is 644.

Here is some info on permissions: http://docs.cs-cart.com/4.3.x/install/useful_info/permissions.html

I know it says in the email that this is just for versions 4.X.X - but I'm just double checking, can you confirm older versions 2.X.X etc are not effected by the flaw?
thanks

So all permissions for php in /public_html/app/controllers/common should be 644 ?

Asking because some in my folder are not.

I know it says in the email that this is just for versions 4.X.X - but I'm just double checking, can you confirm older versions 2.X.X etc are not effected by the flaw?
thanks

Yes, I confirm. 3.x.x & 2.x.x are not affected even though hacker knows you admin URL.

So all permissions for php in /public_html/app/controllers/common should be 644 ?

Asking because some in my folder are not.

I assume your answer would have been yes.

So all permissions for php in /public_html/app/controllers/common should be 644 ?

Asking because some in my folder are not.

All PHP files should be 644.

but I would like to note that at the moment file permissions are not the case.

It's just the right secure hosting of any web application.

Thanks. Upgrade done

Thank you for the heads up, applied patch to all my stores. is 4.3.9 upgrade only for this issue?

Joe

I don't see any patches when I log in. Is this for all versions? We're using multi vendor

Thank you for the heads up, applied patch to all my stores. is 4.3.9 upgrade only for this issue?

Joe

4.3.9 Also have a some ordinary bugfixes. We will publish changelog a bit later.