Hello. Our security audit revealed a few issues of various severity that affect all 4.x.x versions of CS-Cart and Multi-Vendor, including the latest version 4.7.1. It is vital that all store owners are aware of this problem and address it as soon as possible. One of the issues was found by our reseller, and the rest were discovered in house (by our own specialists). To our knowledge, the vulnerabilities haven’t been exploited.
To give you more time to protect your store, we are not disclosing the technical details. Suffice it to say that we advise everyone who uses a version from 4.0.1 up to 4.7.1 (including 4.7.1 SP1) to take one of the following measures as soon as possible:
Upgrade to CS-Cart or Multi-Vendor 4.7.1 SP2. This version contains the fixes for all the security issues that we are aware of. It is already available in the Upgrade Center in the Administration panel of your store. Please note that to see 4.7.1 SP2 in the Upgrade Center, you’ll first need to install the upgrades that came before 4.7.1 SP2, if you haven’t done that already.
For those who can’t upgrade to the latest version, we have prepared a free add-on that addresses the problems. We think that installing an add-on is much more convenient for a store owner than changing lines of code in various files manually. To get the add-on:
Sign in to Help Desk before you can download the add-on. Enter the email and password of your Help Desk account. Alternatively, use the Forgot your password? link on that page to sign in without using a password.
Once you sign in to Help Desk, go to the File area. Scroll down to find the Updates folder. Click on that folder to open it.
Find the security_fixes_4xx_addon.zip file. Download it by clicking the icon on the right.
This will solve the discovered security-related problems in your store. Please note that the add-on doesn’t include the fix for the vulnerability that we discovered in November 2017. If you missed that announcement, please take the measures described there as well.
We upgraded this morning right after we received the all important mail. However after the ugprade from V4.6.3SP1 to V4.7.1SP2 editing promotions like a deal of the day is causing issues.
This is caused by the fact that the offset is not defined. My guess is that it is not being checked whether it is set or that the existing variable is not defined as a array. You could fix this by using something similar to this or by defining it as an array, though I think some hook's order got changed, wich can cause this kind of behaviour.
If it is the first case you can use something similar to this:
Helpdesk password recovery ansvers "The username you have entered does not match any account in our store..." - what do I should do in this case? Helpdesk login email may be reseller's email or other, I don't know.
True but Alexbranding does offer another solution, I just opted for the quickest since we are approaching Januari 1 2018. The offices are closed at Alexbranding right now and alot of others as well
From CS-Cart 4.7 and new version of addon (Product of the Day: Extended promotions) - its no needed to add any hooks (just update addon and it will work) (hooks were added by CS-Cart dev team in core) (maybe it will be usefull for another customers)