Security warning CS-Cart version 1.3.5-SP4

Just had this little gem dropped in my email…

Obsolete and security vulnerable CS-Cart version 1.3.5-SP4 detected on your site. You should consider upgrading.



The message appears to have come from Cyberlnc.

Anyone else get one.

I just got one too. I’m not sure what to do though because 2.0 has too many bugs and upgrades for my liking. I don’t have the time to upgrade, fix mods that may have been affected, and squash bugs every month.

[quote name=‘termalert’]Just had this little gem dropped in my email…

Obsolete and security vulnerable CS-Cart version 1.3.5-SP4 detected on your site. You should consider upgrading.

[/QUOTE]

I can probably shed a bit of light on the message you just posted in the quote above …



What you just described is the automatic default alert message generated from one of my own security scanning applications that was created specifically to provide hosting providers with an easy means of notifying their web hosting clients of old outdated and security vulnerable applications installed on their hosting accounts which have public security alerts pending against them.



Basically in a nutshell, that program scans all the hosting accounts on Cpanel based servers looking for applications that are outdated and then checks the versions detected against known major security alert databases and also additionally checks code for variable sanitation failures, vulnerable code techniques, etc. If a potential threat is identified by an application on any user account which is also known to be obsolete, it will also try to identify a patch if one is available and listed in the public security alert information and will send exactly the email message you just posted above recommending considering an upgrade if no patch information is located.



With a bit of luck, hopefully that system will allow site owners know about potential situations and give them a better chance of getting them resolved before hackers find the same issue(s).



Incidentally, CS-Cart 1.3.5-SP4 is one that does indeed have a number of unresolved security vulnerabilities and alerts out there and I have have also seen a recent rise in sites hacked or hijacked with code or data injection exploit attempts using that particular version so upgrading would be a good move.



However, on the flip side of that coin, CS-Cart made a significant number of changes that make it difficult to port sites to the latest versions and can sometimes be a somewhat costly proposition so you would probably need to weigh all those variables before making your decision on any changes you might or might not make. At the very least, you are aware there is an issue to review and that is the point.



In the meantime, as your hosting provider would probably tell you ---- the message is just for your information only.

… what I did NOT want to hear …lol

Here was I trying to make a break from ebay.

Now it looks like I will have to walk their razor’s edge for a while longer.

I can’t afford expensive upgrades.

Just curious though…

do these hackers zero in ( initially ) on any mention of CS-Cart at our shopping cart sites ?

[Quote]Obsolete and security vulnerable CS-Cart version 1.3.5-SP4 detected on your site. You should consider upgrading.

[/Quote]



Spiral,



I feel this type of scare tactic, from this extremely poorly worded email message, by hosts is very irresponsible. If there is a legitimate threat then quote it and explain how to correct it, but a very vague warning and a blanket statement to simply upgrade is very unprofessional and accomplishes nothing other than raise the blood pressure of store owners. I am very disappointed in any host that feels this is a good way of doing business and communicating with their hosting clients.



David

[quote name=‘Termalert’]… what I did NOT want to hear …lol

Here was I trying to make a break from ebay.

Now it looks like I will have to walk their razor’s edge for a while longer.

I can’t afford expensive upgrades.

Just curious though…

do these hackers zero in ( initially ) on any mention of CS-Cart at our shopping cart sites ?

[/QUOTE]

Did you not just say you are hosted at CyberLNC?



If that is the case, I would not worry too much about any of this as much!



I know first hand that CyberLNC has hundreds of additional security measures and countermeasures that would already protect you from the particular vulnerabilities that triggered the “upgrade recommendation” alert message to you so in your case I would not be too concerned at this particular junction.



Doing so, your application itself would still be vulnerable to some degree of course but with the additional security measures in place at the server level there at your host, you would be far less at risk than someone who were running the same version as you at a lot of other hosting providers out there.



Regarding your final question about how sites are found, the answer is ---- YES.



There is typically two main ways they locate vulnerable sites and that would be running searches for application names and related in search engines such as Google and then checking out those sites found or just going through every IP address at the major data centers and with bot scripts running checks and logging the IPs of those showing exploitable promise.


[quote name=‘Triplets’]Spiral,



I feel this type of scare tactic, from this extremely poorly worded email message, by hosts is very irresponsible… [/QUOTE]

ROFL LMAO! :slight_smile:



Well that clearly went “whoosh” right past you …


  1. The message being discussed above is NOT any kind of “scare tactic”!



    (In example, In the past two weeks, I have personally witnessed, at different web hosts, over 50 sites hijacked and all used as spam servers for no other reason than they each were running CS-Cart 1.3.5-SP4 and weren’t fortunate enough to have a host running any such scanners to let them know before those incidents that their sites had any such issues. Another 27, also running the same version, got their customer credit card data or other information stolen as well by injected code modifications)


  2. The only way you might receive such a message from any web host running that particular scanner is if you are running an application and version confirmed vulnerable with known and active security threats which are in the wild and are actively and openly being exploited and publicly listed out in the open.



    (Think of it as a virus scanner but instead looks for web applications vulnerable to exploits currently being sought for at servers by the hackers out there)


  3. Hosts can customize the alert messages and templates for that application but the default messages are to either “consider upgrading” or to send the URL of the relevant patch (only if a patch exists and there is a URL reference in the major public security advisory databases)



    – In the case of the user above, a patch doesn’t exist or was not found so the only fix if you were going to close this issue would indeed actually be to upgrade!



    Bottom Line —



    The very point of such a system is indeed to get the attention of those running vulnerable applications and make them aware (hopefully in advance of any trouble) that they do have a problem but is considered only an initial point of protection — an automated alert system.

All I was saying was the current wording was very poor. It said nothing and explained nothing. Hosts need to do a better job communicating. The way it is currently worded and used is purely a scare tactic. If they expect people to act on something they need to provide more information. Hosts know that upgrading is not an option for everyone, and expecting people to do so just because they send out this one line email is irresponsible and foolish.



Also, the message is directed at the wrong person. If a host feels the software is vulnerable they need to work it out with the developer of the code. The store owner does not need to be involved with this. It should be tech team (host) to tech team (e-commerce developer).

I partially agree and disagree with that but I think the point you are missing here is that this is an early warning system to let hosts and end users both know about potential security situations and in many cases, security issues in applications have already been resolved in later releases

Spiral, is there any security problem with removed or not? If yes, please let us know exactly where and what and we will contact CS to fix it. No point to write long stories. Thank you.

[quote name=‘Noman’]Spiral, is there any security problem with removed or not? If yes, please let us know exactly where and what and we will contact CS to fix it. No point to write long stories. Thank you.[/quote]



cough [url]NVD - CVE-2009-2579 cough

I really hope you’ve applied the security patch for 1.3.5sp3



[B]CS-CART[/B] v1.3.5 - SP3 - Security Patch Update:
[B]CS-Cart[/B] has released a security patch that eliminates a vulnerability in [B]CS-Cart[/B] 1.3.5 (earlier versions are not affected). (As I've previously warned people about)
The vulnerability allows a malicious user to perform an SQL injection if the "magic_quotes_gpc" PHP setting is disabled on a server via the search box on the front page.

… is there a list of areas where the mention of CS-Cart can be deleted ?

Mine is CS-Cart version 1.3.5-SP4

The CS-Cart logo is obvious.

Others may be embedded to prevent unauthorised copying.

Heck…I don’t have a clue.



On the upside this is the first such message I have received in nearly 12 months.

I once purchased X-Cart and the warnings and links to patches were almost a weekly event.

[quote name=‘JesseLeeStringer’]cough [url]NVD - CVE-2009-2579 cough

I really hope you’ve applied the security patch for 1.3.5sp3



[B]CS-CART[/B] v1.3.5 - SP3 - Security Patch Update:
[B]CS-Cart[/B] has released a security patch that eliminates a vulnerability in [B]CS-Cart[/B] 1.3.5 (earlier versions are not affected). (As I've previously warned people about)
The vulnerability allows a malicious user to perform an SQL injection if the "magic_quotes_gpc" PHP setting is disabled on a server via the search box on the front page.
[/QUOTE]



Thanks Jesse



I don’t use Reward points mod and I did apply whatever is in Customer area regarding 1.3.5.

[quote name=‘Noman’]

I don’t use Reward points mod[/quote]



regardless if you use it, the addon should be removed :wink:

OK, now I am confused. If I am using 1.3.5 SP4 and not using reward points is there a vulnerability?

[quote name=‘JesseLeeStringer’]regardless if you use it, the addon should be removed ;)[/QUOTE]



Excuse my ignorance but I don’t want to “break” anything.



Is it sufficient just to delete the Reward_Points folder?



The reward points add-on never seemed to work properly anyway.

[quote name=‘Triplets’]OK, now I am confused. If I am using 1.3.5 SP4 and not using reward points is there a vulnerability?[/QUOTE]

I’m curious too. Do we need to take reward points off 1.3.5 sp4? If so, how do we take it off? I have it turned off, but I’m not for sure how to take it away…if needed.

Must admit I am glad it has a vulnerability associated with it.

I was getting tired of having to manually adjust members points.

So… I am with others here,

is de-activating it enough and it not then what should we delete without

breaking something else ?

I don’t feel like paying for a support ticket to fix something that should have been working properly in the first place.

[quote name=‘termalert’]I don’t feel like paying for a support ticket to fix something that should have been working properly in the first place.[/quote]



If it’s a CS bug you don’t have to pay, but I think the version 1.3… is no more supported.

[quote name=‘indy0077’]If it’s a CS bug you don’t have to pay, but I think the version 1.3… is no more supported.[/QUOTE]



Surely 1.3.5 is still supported! :confused:

[quote name=‘BarryH’]Surely 1.3.5 is still supported! :confused:[/QUOTE]


[quote name=‘indy0077’]If it’s a CS bug you don’t have to pay,[/QUOTE]



ROFLMFAO!!!