Jump to content

Fleety's Content

There have been 2 items by Fleety (Search limited from 21-Aug 18)


Sort by                Order  

#184335 Re: Critical Security Vulnerability In Cs-Cart And Multi-Vendor 2.x.x To 4.1.2

Posted by Fleety on 27 May 2014 - 02:54 AM in Security

Good job on catching this exploit so quickly.

We got the email and indeed located the files.

The atos & hsbc php files and associated directories have been deleted as per the instructions leaving only questions, the answers to which may may be of interest to the community should they be answered.


1. What was the attack vector?
My working assumption is of course the atos and hsbc payment files we were instructed to delete. If this is correct, what was the behavior of those files that allowed infection?

2. How can we mitigate a repeat of the same exploit?
This may well be answered by a clear explanation of the first question, however, it is still a question worth asking pending a detailed description of the methodology used to exploit the attack vector.

3. To quote the email:
Summary
The update fixes a vulnerability that can result in a remote unauthenticated attacker executing arbitrary script in the context of the end-user's browser session.

What update is this referring to? I understand it to mean the fix of deleting the files. Is that correct?

Thanks to who ever has the time to answer,

Fleety



#181533 Important: Openssl Vulnerability May Exploit Your Store's Ssl

Posted by Fleety on 11 April 2014 - 08:16 AM in Security

Since it is only the 1.0.1 through 1.0.1f implimentations of Openssl that are affected, in addition to using the websites already listed, you can double check which version your server is using this way:

Your admin panel > Administration > Database > phpinfo > ctrl + f (cmd + f for OS X users) type: openssl > enter

Your servers installed Openssl version number should show on the second or third entry depending on the setup.

It would be helpful if the CS-Cart team sent an email to their client database (as other software vendors have) to alert everyone to the issue and explain how to check, and if affected what to do. Many people in shared hosting environments need only contact their webhost and demand them to take immediate action.

CS-Cart isn't obligated to do this, but in the interest of reducing the obvious privacy/security risks to all netizens it's a quick, easy and responsible step to take.

It seems the media has jumped on heartbleed, albeit in a sensational way. Hopefully all this focus on SSL will pave the way to better standards and help to educate average internet users on how important encryption is.

This forum isn't secured, that's why I've always worn my tin foil hat :)

Quick Edit: Here is a link to useful information: http://digital-foren...s-simulcast-etc

The second paragraph has a PDF (tested clean on virustotal) of a presentation by the security researcher "Malware Jack" that are clear, explicit and definitely worth reading by everyone here, especially people administering their own servers.