[Tue Jan 10 15:56:59.458425 2017] [fcgid:warn] [pid 24653:tid 140692667926272] [client 89.67.xx.xx:53522] mod_fcgid: stderr: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in /home/admin/domains/zestudni.pl/public_html/app/lib/vendor/phpmailer/phpmailer/class.smtp.php on line 367, referer: https://www.zestudni.pl/myadmin.php?dispatch=profiles.update&user_id=45&user_type=A
Hello again, I found something like this in httpd error log.
You are using a self signed SSL certificate, or you have missed the CA Bundle for your chosen / specified SSL certificate somewhere in your configuration.
Solution: Add the Self signed certificate to your CA Bundle.
Order emails and form builder contact forms do not work after applying SP2. My contact us form, which worked fine prior to the update, now goes to a blank white page and does not send email. It no longer shows the "form submit text" message. Also, when a new customer signs up, they get the blank white page after submitting their information. Several people are also suddenly having login issues, but it seems somewhat random. I was using php mailer prior to the update. I have tried php mailer, sendmail and Smtp. All have issues. Something is definitely messed up with this update. Any ideas? I also submitted a support ticket.
Order emails and form builder contact forms do not work after applying SP2. My contact us form, which worked fine prior to the update, now goes to a blank white page and does not send email. It no longer shows the "form submit text" message. Also, when a new customer signs up, they get the blank white page after submitting their information. Several people are also suddenly having login issues, but it seems somewhat random. I was using php mailer prior to the update. I have tried php mailer, sendmail and Smtp. All have issues. Something is definitely messed up with this update. Any ideas? I also submitted a support ticket.
For those suffering a similar problem as I did, the culprit was escapeshellcmd(). The update requires this to be enabled. This is disabled by default for many servers using Suhosin for security purposes. You can either disable Suhosin on the domains running CS-Cart, or you can enable the specific function manually. Both methods should fix this particular white screen of death issue.
For those suffering a similar problem as I did, the culprit was escapeshellcmd(). The update requires this to be enabled. This is disabled by default for many servers using Suhosin for security purposes. You can either disable Suhosin on the domains running CS-Cart, or you can enable the specific function manually. Both methods should fix this particular white screen of death issue.
Odd, I don't think there are any issues with escapeshellcmd. It had a vulnerability something like 9 years ago prior to PHP 5.2.5 / 4.4.8 but I'm not aware of any good reason to disallow it now. Better to remove escapeshellcmd & escapeshellarg from the Suhosin function blacklist rather than disabling Suhosin.
For what it's worth, I have a customer that applied the patch and noticed a 1 min delay at the end of checkout.
Seems that the site uses Twigmo and that Twigmo is generating a 504 timeout (which takes 60 seconds). So you might want to check your log data around your orders to see if there's a twigmo response with this snippet in it.
504 Gateway Timeout
The web server is returning an unexpected networking error for . If you need immediate assistance, please send us an email instead. We apologize for any inconvenience.
Odd, I don't think there are any issues with escapeshellcmd. It had a vulnerability something like 9 years ago prior to PHP 5.2.5 / 4.4.8 but I'm not aware of any good reason to disallow it now. Better to remove escapeshellcmd & escapeshellarg from the Suhosin function blacklist rather than disabling Suhosin.
I agree. Best practice would definitely be to enable them (remove from blacklist) rather than simply disable Suhosin wholesale. For instance, I disabled suhosin outright just to quickly see if that would "fix" the issue, and once confirmed, then went back later to remove the function from the disabled functions list in suhosin configuration.
I also agree that it does appear escapeshellcmd and escapeshellarg are currently considered low priority security risk. Still, some people, like myself, prefer to disable functions that are not required by software in use, to keep server security locked down as best as is reasonably possible (no need to leave a "door" unlocked that you don't use). In my case, and in the case of many others, with regard to this particular issue, is that these particular functions often come/came disabled by default... particularly on servers/control panels that were setup a year or more in the past, due to particular security concerns pertaining to them previously.
It would have been ideal if the upgrade center in CS-Cart had been configured to check for these newly required functions prior to allowing the upgrade to continue, since it is something that previously was not required for full/proper functionality. This function check is a capability that already exists in their upgrade and install routine for other functions. It really should have also been mentioned in release notes, so admins could make the proper adjustments prior to upgrading. I understand though... Sometimes things get missed, especially when you're trying to get a security patch pushed out in a timely fashion to protect users/customers.
For what it's worth, I have a customer that applied the patch and noticed a 1 min delay at the end of checkout.
Seems that the site uses Twigmo and that Twigmo is generating a 504 timeout (which takes 60 seconds). So you might want to check your log data around your orders to see if there's a twigmo response with this snippet in it.
504 Gateway Timeout
The web server is returning an unexpected networking error for . If you need immediate assistance, please send us an email instead. We apologize for any inconvenience.
I'm not currently using twigmo, but I have plans to do so in the future. This might save someone from some headaches, including myself down the road. Good on you to mention it. In fact, this is probably worth adding to the bug tracker if you haven't already.
I also agree that it does appear escapeshellcmd and escapeshellarg are currently considered low priority security risk. Still, some people, like myself, prefer to disable functions that are not required by software in use, to keep server security locked down as best as is reasonably possible (no need to leave a "door" unlocked that you don't use). In my case, and in the case of many others, with regard to this particular issue, is that these particular functions often come/came disabled by default... particularly on servers/control panels that were setup a year or more in the past, due to particular security concerns pertaining to them previously.
You better put htmlentities and str_replace into that default lockdown they as both have had vulnerabilities 6 or 7 years ago. Heck, since you don't know if there are any unknown vulnerabilities in other functions then you should lock them all down and then open them up one by one until things work.
Seriously, though, I know you're stuck with hosts who put them in the black list while they were migrating servers 9 years ago and never took them out. I just didn't want anyone thinking that opening them up was possibly opening a security hole. Just like htmlentities, they are functions used to enhance security and there really is no good reason to lock them down. Other functions that cs-cart requires, like shell_exec, exec, system & passthru, are far more dangerous.
hehe... I don't disagree with you straygecko. My own personal preference is to be as cautious as is reasonable when it comes to security... though it can certainly become a never ending pursuit if one lets it, and which you alluded to. "Reasonable" means different things to different folks. :)
It's still a relatively common occurrence to encounter these functions disabled on default setups, which is why I mentioned it being a smart thing to include new function requirements in release notes. I mentioned this to CS-Cart staff. They agreed. They're putting it in there now. :)
I'm not currently using twigmo, but I have plans to do so in the future. This might save someone from some headaches, including myself down the road. Good on you to mention it. In fact, this is probably worth adding to the bug tracker if you haven't already.
Take Care,
Kellen
Not sure unavailability of a server is really a bug as much as an administrative issue. However, having a 60 second TCP timeout is standard but a bit long for an interactive process. If you can't connect in 5 seconds, you should just move along....
Not sure unavailability of a server is really a bug as much as an administrative issue. However, having a 60 second TCP timeout is standard but a bit long for an interactive process. If you can't connect in 5 seconds, you should just move along....
@Fotis: Upgrade PHPMailer to the latest (replace class.phpmailer.php and class.smtp.php) and moreover follow the modifications as dectated for cs-cart 4.X