Ecommand email "Critical Security Issue"

We have been sent this email from ecommand.co.uk

Blockquote

We are reaching out to inform you about a critical security vulnerability detected in all CS-Cart versions 4.x.x, including 4.16.2. This issue has the potential to allow malicious users to upload and execute any PHP file on your server.

While there have been no reported cases of exploitation, this issue will likely become widely known within weeks, and malicious actors may begin to target unpatched systems.

Our Services Will Be in High Demand

Due to the severity of this vulnerability, we expect a significant influx of requests for assistance. We will be working on a first-come-first-serve basis, so we highly recommend that you act promptly to secure your position.

Recommended Action: Full Upgrade

Our strong recommendation is a full upgrade to CS-Cart 4.16.2 SP1. This latest version resolves the vulnerability and offers the most robust protection.

Alternative Action: Patch Installation

If a full upgrade is not possible, we can install the “Security Fixes (August 2023) for 4.3.1 - 4.16.x” add-on as a temporary measure.

Note for Earlier Versions:

If you are using versions earlier than 4.3.1, you will need to upgrade to at least version 4.3.1 before applying the security patch.

How to Proceed:

To engage our services, please reply to this email or contact us directly at ecommand.co.uk. Specify your current CS-Cart version, and whether you prefer a full upgrade or patch installation.

Blockquote

Is this something the devs are aware of, or just ecommand trying to scam?

2 Likes

Greetings, ghiyas!

This is a legit email from CS-Cart, they sent it to all Partners, including Cart-Power.

There is an add-on security_patch_08_2023.zip available for download from this email which solves the issue for CS-Cart versions 4.3.1 - 4.16.x. More information is in the inital email.

Best regards,
Cart-Power

2 Likes

Where can I find the add-on patch? I didn’t receive any email, but I’m unsure if it was only sent to developers?

1 Like

Who is ecommand.co.uk and how did they get my email address, and presumably the email address of @ghiyas ?

1 Like

Yes, we received the email from E-Command as well, but there was no link to the patch. (Perhaps unsurprisingly, since they were offering their services to install it!)

Does downloading it require a current payment or subscription to CS Cart to download if we wish to install it ourselves?

My guess is that the actual changes required would involve relatively few lines of code or something that we don’t required that would be easily disabled.

The big issue, of course, is which lines.

  • Smich

Additional; the security patch they are referring to appears to be available via the file download area here:-

https://helpdesk.cs-cart.com/index.php?dispatch=filearea.manage&section=product_files

You’re looking for “add-on security_patch_08_2023.zip” via “Security Fixes (August 2023) for 4.3.1 - 4.16.x

1 Like

Another question they imply that a full upgrade is safer than just the patches - that true?

Also if you have only one store is this urgent? I ask as the CS cart official email seems to say that the problem is mostly for the multivendor version…

I also wonder how they got my address - is CS cart selling our information?

Does CS cart approve of this mailing?

1 Like

For anyone reading this and wondering (as I was) the linked file is installed just like any other add-on (and will be automatically disabled upon upgrade to 14.7.1)

Yes, since patch is located inside CS-Cart HelpDesk

Yes the patch is from CS cart that was not my question.

Hi!

We have indeed released a security patch yesterday. You can either upgrade to version 4.16.2.SP1, or apply the security patch that @smich mentioned. We tried our best to make the installation as easy as an add-on.


Here’s a summary:

  • There is indeed a vulnerability. It is very important for Multi-Vendor owners to fix it. But if you use Store Builder, you still can — and probably should — apply the fix. Your store will be slightly safer for it.

  • So far, we have only announced the vulnerability through emails. Forum announcement will come soon as well.

  • If you haven’t received an email from CS-Cart, it could be because:

    • either you’re on an older version unaffected by this vulnerability,
    • or you unsubscribed from our emails in the past.
  • ecommand.co.uk are on our list of authorized resellers. But we (CS-Cart) usually announce security issues ourselves, to clients and partners alike, and at the same time. But we do not share your email addresses with resellers or partners.

    @kingsleypress, @ghiyas, my first guess is that e:command received our email and decided to take a proactive approach in warning their clients. If you never contacted them before, then do not know how they have your email address. Anything I say on the matter would be speculation without any evidence.

    For example, I used to receive cold emails from companies that scrape sites all over the Internet, determine those built on platform X/Y/Z etc., find the contact emails, accumulate the data, and then offer spreadsheets like “X/Y/Z users in the United Kingdom”.

  • Our way to guarantee that the fix is legit is by placing it at https://helpdesk.cs-cart.com, in the “File area”. Just in case, our Help Desk recently got a makeover lately, so don’t be alarmed if it looks better than before :slight_smile:

  • Speaking of “upgrading to latest version” vs “applying an add-on” (to answer @traveler’s question). I’m somewhat biased here — because the more people are using the latest version, the better it is for us. But there are pros and cons to both ways:

    • Upgrading to the latest version means you get all of the security fixes we’re aware of. It also provodes smaller security improvements that don’t warrant a Service Pack or us bothering you with emails. And whenever we release a new fix, all you have to do is install an SP version.

    • Installing “Security Fixes” from Help Desk does solve the major security issues — those that can be easily exploited or pose a significant risk to your store or marketplace. This approach might be more appealing when you are on a rather old version and can’t commit to a full upgrade for the moment.

2 Likes

I would assume they’ve used a website like https://builtwith.com who can scrape data such as what platform a website is built with, and they sell that data too to get a list of CS-Cart websites in the UK

1 Like

P.S. We’ve just announced it at the forum as well:

2 Likes

I am not in the UK. I have no recollection of having any previous interactions with this company (ecommand.co.uk). I just don’t like it when companies try to trick me into buying their services which turns out to be something I can easily do by myself (upgrade to the Service Pack).

2 Likes

I feel the same no previous interaction and pushing for something that is not urgent if you don’t use multivendor or store builder.

Good to know that CS Cart does not sell our email addresses

3 Likes