Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Security warning CS-Cart version 1.3.5-SP4 Rate Topic   - - - - -

 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 03 January 2010 - 12:56 PM #21

ROFLMFAO!!!


:confused: :D :rolleyes: LOL CScart Support Rocks!!!!! :lol:

BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • gabrieluk
  • Senior Member
  • Members
  • Join Date: 21-Jul 09
  • 133 posts

Posted 03 January 2010 - 11:39 PM #22

regardless if you use it, the addon should be removed ;)

Please can anyone point the right way to get rid of this addon?
Thanks in advance
Number 1

 
  • Lyn
  • Senior Member
  • Members
  • Join Date: 22-Jan 09
  • 416 posts

Posted 04 January 2010 - 12:52 AM #23

Surely 1.3.5 is still supported! :confused:


You would think there would still be support for this version. Even Microsoft didn't shut off its support for a previous version of Windows until the new one had been out there for years and was stable.

And there must be thousands of CS-Cart users who have no intention of upgrading, either now or at any time soon.

I really don't want to have to upgrade due to the work involved and it would be good to get an answer as to whether all we have to do is delete the Reward Points folder or if there is some other way to solve this problem.
Lyn
www.eziautoparts.com.au
Your one stop auto parts shop

CS-CART VERSION: 1.3.5 SP4
One of these days I'll upgrade!!
Website hosting by Micron 21

 
  • clips
  • Aged Resident Loon
  • Members
  • Join Date: 14-Jan 07
  • 1650 posts

Posted 04 January 2010 - 01:54 AM #24

Incidentally, CS-Cart 1.3.5-SP4 is one that does indeed have a number of unresolved security vulnerabilities and I have have seen a recent rise in sites hacked or hijacked with code injection exploits using that particular version so upgrading would be a good move.


Spiral, you have made the above statement with nothing to back up your claim that CS 1.3.5 sp4 has a "number of unresolved security vulnerabilities". Please help us out. What are these security issues so I can work to get them resolved? I'm sure others in the community would love to know what they are too. This way we can all work to get them resolved.

I am sorry to say that at this point I just am not convinced that CS 2.? is the answer...at least quite yet. I hope to try out 2.11 soon on a new site, but still will not try it on one of our traffic sites yet. So basically, I plan to keep 1.3.5 sp4 until at least 2011 on a couple of our sites. I have already invested quite a bit in our current sites and do not want to blow that all out of the water for a version that seems to be on continuous "beta" test. So if there are security issues I want to work to get them resolved.
Regards,
Jim

 
  • gabrieluk
  • Senior Member
  • Members
  • Join Date: 21-Jul 09
  • 133 posts

Posted 04 January 2010 - 11:09 AM #25

Spiral, you have made the above statement with nothing to back up your claim that CS 1.3.5 sp4 has a "number of unresolved security vulnerabilities". Please help us out. What are these security issues so I can work to get them resolved? I'm sure others in the community would love to know what they are too. This way we can all work to get them resolved.

I am sorry to say that at this point I just am not convinced that CS 2.? is the answer...at least quite yet. I hope to try out 2.11 soon on a new site, but still will not try it on one of our traffic sites yet. So basically, I plan to keep 1.3.5 sp4 until at least 2011 on a couple of our sites. I have already invested quite a bit in our current sites and do not want to blow that all out of the water for a version that seems to be on continuous "beta" test. So if there are security issues I want to work to get them resolved.

Amen:rolleyes:
Number 1

 
  • Spiral
  • BANNED
  • Banned
  • Join Date: 02-Aug 09
  • 133 posts

Posted 04 January 2010 - 04:16 PM #26

Spiral, you have made the above statement with nothing to back up your claim that CS 1.3.5 sp4 has a "number of unresolved security vulnerabilities". Please help us out. What are these security issues so I can work to get them resolved? I'm sure others in the community would love to know what they are too. This way we can all work to get them resolved.

For the record, I never actually said any such thing! I simply made the side comment previously above that I have personally seen a large number of sites on CS 1.3.5 SP4 hacked in the pasts couple of weeks and that is absolutely true and that is all I really said so stop trying to take things out of context of the conversation by mixing up comments on two different subjects together, and thus saying things I didn't actually say at all! However, with that rebuke said ---

YES, 1.3.5 SP4 does indeed have some very major security problems and I will say that now directly which is further evidenced moreover by the substantially increased number of sites being hacked and / or hijacked all running 1.3.5 SP4 lately with rising frequency over the past couple weeks in particular.

I am sorry to say that at this point I just am not convinced that CS 2.? is the answer...at least quite yet. I hope to try out 2.11 soon on a new site, but still will not try it on one of our traffic sites yet.

Actually, I absolutely agree about CS 2!

CS-Cart's 2.0 series has a lot of its own bugs and problems and everyone is, in a certain way, now in a bit of an enigma currently between the 1.x series (which seems to work very well functionally but has security problems up the wazoo) or the 2.x series (which seems to fix a lot of those security problems and adds some new features but all still quite buggy and functionally still has a number of issues being worked out).

Another FYI --

I have NEVER myself said to anyone that they should upgrade to 2.0 and to think that is actually an incorrect assumption on your part! The scanning and outdated notice program I designed for web hosting providers (which incidentally is the actual real subject of this discussion that everyone seems to also have totally forgotten) isn't designed to check just CS-Cart installations but rather **EVERY** outdated web application you might possibly be running on your site and let's you know which ones are outdated which are also reported as insecure by major security reporting databases such as Secunia and others ....

---- nothing less ---- nothing more ---- end of story!

I posted comments at the start of this thread simply and for no other reason than just to answer the question "WHY" someone received the email message they described and as the author of the scanning program their web host is using to help try to find security problems and recognizing the message they posted, I'm in a good position to explain to them the purpose of the email they described and what it all really means to them. Everyone else has pretty much hijacked this thread beyond that point.

So basically, I plan to keep 1.3.5 sp4 until at least 2011 on a couple of our sites. I have already invested quite a bit in our current sites and do not want to blow that all out of the water for a version that seems to be on continuous "beta" test. So if there are security issues I want to work to get them resolved.

Now that last final sentence is actually the first somewhat sensible thing you have said! :)

Now in regard to getting "security issues resolved", there should be no problem people keeping 1.3.5 sp4 in and of itself but you will need to make a number of modifications to deal with several poorly written code areas that are now being activity exploited heavily right now and to tell you precisely what is happening, I have seen hackers injecting code at 4 specific locations in the CS-Cart scripts where the injected code is happily accepted and the data isn't properly sanitized (probably because to CS-Cart's credit, it isn't where you would normally expect code to be passed at those locations). Thus far, the two primary uses I have observed how this has been exploited has either to be utilize the CS-Cart program as a spam distribution relays or to make internal code modifications from the script itself (thanks to the 777s) to send out a copy of every customer order and all the details including credit cards to some remote location. This should at least partially answer your question about the details of the problem and what is going on with all of this.

Other than patching your CS-Cart code if you intend to stay with 1.3.5, I would also recommend to you but only if it is possible for you, using a hosting provider that has protections in place specifically for this problem. I have a list of those for anyone who wants to know which have such protections.

Now while this question is brewing, one thing everyone should know ----

I do not ever jump into any issue or situation that I am not more than capable within my own power and resources to deal with to help everyone resolve and I will and do go out of my way to assist anyone with anything ever discussed anywhere on any topic you see me post any comments so everyone who is quick to get alarmed, or panic, or worry, or whatever issue fuels your backlashes ---- you can relax!

CS-Cart 1.3.5 is just one of literally thousands of such programs that I deal with on a day to day basis helping to put a stop to hacking and exploits and in the grand scheme of things really is no more significant than any other only that it is actively being attacked right now and that puts it higher up on on the "concerned list".

*** EDIT: For the brain dead --- I am NOT saying to ignore this issue here ****

Regarding 1.3.5 SP4 specifically, I have already developed external security programs for hosting servers to help with the problems with 1.3.5 and other programs with similar issues that are out there as well as also active scanning programs (such as the one being discussed above) to try to locate exploitable problems and give the owners a better chance to fix those issues before the hackers out there find the same.

Additionally, I have also located all the areas of code that are currently being exploited by hackers by monitoring what they are doing at several different hosts and I have in return made that information freely available to hosting providers as well and a number are already taking (or have taken already) measures to deal with the issue by means outside of the CS-Cart program itself making changes to the servers themselves so the methods used to exploit the code can't be performed in the first place so you might already be protected and not know it!

On the other side of the coin ....

As I know that 1.3.5 is no longer "officially" supported, I don't know at this point if CS-Cart intends to release their own additional patches or not but working off the assumption that the are not going to release any fixes for such an old version, I'm working on a 3rd party independent patch and presently just working on how to make it easy for everyone to apply without having to change a couple hundred lines of code while compensating for those who may have also heavily modified or customized those applications as well.

For those who manage their own servers, I would recommend staying away from "777" permissions by going to SuPHP and contrary to what CS-Cart might tell you, do in fact install and use Mod_Security with a good ruleset such as the one from "GotRoot.Com" and also install and use SuHosin which will give you an additional line of defense on code injection type exploits such as this. You might also want to disable the mail() function in PHP and setup for authenticated SMTP from your programs unless you have other measures in place to prevent your site being used as a spam relay for hackers.

For those of you who don't have business in China or Russia, I would recommend using GeoIP from Maxmind to setup blocking of connections from those countries and putting in additional RBL checks against known exploited IPs as that will knock out the majority of the attack sources that have been observed to date from reaching your web hosting site in the first place.

Hope that helps .....

Anyway, if anyone needs more tips or a bit of one on one attention, just ask me ....

 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 04 January 2010 - 07:54 PM #27

Have you happened to send CS these "identified" areas that hackers are using?

I don't speak for them, but maybe they would release a bug fix/patch?

Or maybe they can offer additional insight to how to protect customers sites....
Pimpin' skins since v1.0

 
  • wwgreen
  • Senior Member
  • Members
  • Join Date: 20-Nov 06
  • 411 posts

Posted 04 January 2010 - 08:23 PM #28

Have you happened to send CS these "identified" areas that hackers are using?


ET - Here, here. I'm still on 1.3.4sp3, very happy with it still. Yet I wouldn't mind knowing what else I can do (if anything is needed) in the meantime for my existing install, at least until 2.x (3.x?) is stable enough for me.

v4.9.3sp1


 
  • Noman
  • Senior Member
  • Members
  • Join Date: 29-Oct 07
  • 526 posts

Posted 04 January 2010 - 09:35 PM #29

SPIRAL...

For some strange reason - I'm not convinced about your discoveries.

Still no proof, no code, no examples or details. Just usual - blah blah blah. And yes, if there's a security issue in 1.3.5 SP4, CS guys will release a patch. I have that in my inbox.

Just my 2 cents below...
I have personally seen a large number of sites on CS 1.3.5 SP4 hacked in the pasts couple of weeks
Well, share with us some more details. A large number must be at least more than 10. I believe, with your experience and help, they were fixed. Can we see maybe 3 of them please?

YES, 1.3.5 SP4 does indeed have some very major security problems and I will say that now directly which is further evidenced
Reading below I couldn’t find any proof.

CS-Cart's 2.0 series has a lot of its own bugs and problems
How many problems have you reported to the Bug tracker?

I designed for web hosting providers (which incidentally is the actual real subject of this discussion that everyone seems to also have totally forgotten) isn't designed to check just CS-Cart installations but rather **EVERY** outdated web application you might possibly be running on your site and let's you know which ones are outdated which are also reported as insecure by major security reporting databases such as Secunia and others ....
In this case, your(?) program does just a general testing and gives a general result? Can we read some reviews about your program somewhere on the Internet please? I’m happy to buy it if so good and my boss is happy to pay for it.
Here’s what Secunia has on CS 1.3.3 trail version only! Just to remind you, we are on 1.3.5 SP4

http://secunia.com/advisories/20440/

you will need to make a number of modifications to deal with several poorly written code areas that are now being activity exploited heavily right now and to tell you precisely what is happening, I have seen hackers injecting code at 4 specific locations in the CS-Cart scripts where the injected code is happily accepted and the data isn't properly sanitized (probably because to CS-Cart's credit, it isn't where you would normally expect code to be passed at those locations).Have you contacted CS regarding those “issues”? Can you point out where is that “poorly written code” and publish your solutions? You have seen hackers injecting the code... interesting. Were you watching servers and logs while things were happening?


I would also recommend to you but only if it is possible for you, using a hosting provider that has protections in place specifically for this problem. I have a list of those for anyone who wants to know which have such protections. The previously mentioned CyberLNCThat’s the only sense I can make from your long writing now and in the past. You recommend CyberLNC on every occasion. However, reading a long thread about them, personally, I wouldn’t take this risk.

Regarding 1.3.5 SP4 specifically, I have already developed external security programs for hosting servers to help with the problems.
Additionally, I have also located all the areas of code that are currently being exploited by hackers.
I'm working on a 3rd party independent patch
OK, let’s see both. Your “external security program” and those “areas”. Feel free to PM me your code and details and I will share it with people who know what to do with it. You will be rewarded for your work.

Unfortunately, I had to write the above that way so, we can easy track things and understand what’s going on with 1.3.5 SP4 and if.

With no proof and details, I would say, your post is just a waste of space and effort.

And let me tell you, I’m not a Linux expert however, I look after security of more MS servers than you have fingers and toes, and on a daily basis, and I make a good living from it. I do it since NT4 came out and I got my first MCSE in 1994. I heard many stories about server security, hackers and so on, but I, with other guys, always work hard to find the solution and share it with the IT community. No false statement and advertisement.

Also, regarding your favourite hosting company – I do not know much about them, but I believe, they are great and hard working guys, but believe you me, I host 18 only websites with a small company of 8 servers and for the last 4 years, they had TWO! downtimes. No stories, no excuses. Just open-minded people with common sense. So, there’s some more good hosting companies in the world.

I hope, you won’t take it personally and will reply as per original subject.
I’m sorry for “almost English” language above. I’m not local. Just working here in the UK.
I'm Number 1, so why try harder?

CIA wannabe or having doubts and need some answers?
Spy Gadgets and CCTV Equipment

 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 04 January 2010 - 10:24 PM #30

Hi All

I'm afraid as I've said on many occasions before, I'm not very techy, and most of this is beyond me!! :confused:

However, I have grave concerns that this thread will fill up the internet and cause all our stores to run very slowly. :lol: LOL

(only joking guys)

BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • Traveler
  • Senior Member
  • Members
  • Join Date: 02-Feb 07
  • 899 posts

Posted 04 January 2010 - 11:55 PM #31

Noman,

Thank you for your thoughtful post.

I agree with you and I have posted before Spiral seems well meaning but without proof much of what he says is merely entertaining and nothing a serious business person would pay attention to.

But understanding serious business is something that appears to go "whoosh over" his head....

Smiling - I could not resist that - again Spiral appears well meaning and maybe he will slow down and start posting some value added information that he came up with on his own.

I am still waiting for his information on why traditional VPS accounts are dangerous. The consensus among IT pros is that security is something that must be constantly monitored using best practices.

Yet not even one word in a PM with helpful information, which of course indicates that more likely than not, none exists.

Version 4.9.2


 
  • Struck
  • Teetering on Genious
  • Members
  • Join Date: 07-Mar 09
  • 2502 posts

Posted 05 January 2010 - 01:00 AM #32

Yet not even one word in a PM with helpful information, which of course indicates that more likely than not, none exists.


You know what I find really comical is that you come across as if Spiral owes you something, he doesn't "owe" you anything! In his posts he simply attempts to convey useful information which may very well prevent a catastrophic situation from occuring.....

I highly doubt he is getting paid for his time in writing these lengthy posts, he is doing it as a favor.

As with all information, you have the choice as whether to use it, or not, we ALL have that choice.

And, do you really expect him to clearly explain on a public forum where the vulnerabilites can be found..............LMFAO :confused:
Cooking with Gas on Version 4.1.2 (But proceeding with caution....)

 
  • Traveler
  • Senior Member
  • Members
  • Join Date: 02-Feb 07
  • 899 posts

Posted 05 January 2010 - 01:43 AM #33

You know what I find really comical is that you come across as if Spiral owes you something, he doesn't "owe" you anything! In his posts he simply attempts to convey useful information which may very well prevent a catastrophic situation from occuring.....

I highly doubt he is getting paid for his time in writing these lengthy posts, he is doing it as a favor.

As with all information, you have the choice as whether to use it, or not, we ALL have that choice.

And, do you really expect him to clearly explain on a public forum where the vulnerabilites can be found..............LMFAO :confused:


Struck,

Yes, I do feel that honesty and a sense of responsibility is owed when posting on this forum so that we do not waste our time.

And yes call me old fashioned but when you say you will do something I expect followup we all post as to our abilities to help.

And yes I expect him to communicate his concerns as appropriate if there is any truth to his "cry wolf" warnings.

If the public forum does not work a private message is fine.

I also feel that yelling "FIre" in a crowded theater is wrong and going on and on about perceived threats without any backup is not comical but sad.

Feel free to PM me if you want to share information that you have that would hurt being mentioned in a public forum about any security issues.

I am very serious about security and I am thankful to anyone who really wants to help.

Version 4.9.2


 
  • gabrieluk
  • Senior Member
  • Members
  • Join Date: 21-Jul 09
  • 133 posts

Posted 05 January 2010 - 02:12 AM #34

hello,
i was so curious to understand the relation of this vulnerabilities with the hosting provider,that i wrote a thread in the forums of my provider.For a reason of privacy i wont reveal the name of my host
"my host" vs CyberLNC
hi there,
i have an ecommerce software in my account,Cs Cart.I use an older version of the software,as it is the best version.Some concerns about security have been risen in CS forums.They said CyberLNC is a very good host provider,wich has it's own security measures,so the host itself blocks the lack of security from the software.My question is if "my host" is at the same level of security as CyberLNC.
I went to their website and i found this:
* Highly Secure RedHat Linux Servers
* Hardware Firewalls
* Cisco Guard DDOS Protection
* Tipping Point IPS/IDS Protection
* Multiple Internet Backbone Connections
* Gigabit Speeds from Server to Internet
* Geographically Redundant DNS
* Multiple Client Backup Solutions


ANSWER:
"Going by the information on the website, yes. Software/script wise we run a highly tweaked installation of mod_security across all of our shared servers. This blocks out a large number of attacks but obviously, not all. If there was such a solution exploited scripts would be a thing of the past.

Running out of date/vulnerable scripts on a shared web server is not acceptable. You are putting every other customer on that server at risk. If you site is exploited it could be used to attack other servers, host phishing pages, send huge volumes of spam email etc. The result would likely be poor peformance or downtime for other users on the server."

"It is also worth noting that cyberlnc use Softlayer as their provider. This means all of the servers, hardware firewall, DoS mitigation devices etc are not actually owned, managed or directly accessible by them"
Number 1

 

Posted 05 January 2010 - 03:25 AM #35

"It is also worth noting that cyberlnc use Softlayer as their provider. This means all of the servers, hardware firewall, DoS mitigation devices etc are not actually owned, managed or directly accessible by them"


Why buy the cow when you just need the milk?
(Dedicated Server from CyberLNC / Softlayer)
I've moved on from CS-Cart to WooC******** - If you need anything I can be of little help.

 
  • Lee Li Pop
  • Senior Member
  • Members
  • Join Date: 07-Mar 08
  • 941 posts

Posted 05 January 2010 - 07:58 AM #36

Hello,

[...]I have have seen a recent rise in sites hacked or hijacked [...]


[...] I have personally seen a large number of sites on CS 1.3.5 SP4 hacked in the pasts couple of weeks [...]


Is there someone here, in CS-Cart community, who heared / seen, or can testify or affirm any attempt (or the increasing) of hacking?

An user of CS-Cart?

An official of a hosting company?

An official support technician of CS-Cart?



Lee Li Pop
.
If All Else Fails, Read The Instruction Manual! Knowledge Base 2.x + CS-Cart Instruction Manual

Hosted at Pair.com since 2000. Zero hacking attempts during first 11 years... And counting!

 
  • gabrieluk
  • Senior Member
  • Members
  • Join Date: 21-Jul 09
  • 133 posts

Posted 05 January 2010 - 12:54 PM #37

Hello,





Is there someone here, in CS-Cart community, who heared / seen, or can testify or affirm any attempt (or the increasing) of hacking?

An user of CS-Cart?

An official of a hosting company?

An official support technician of CS-Cart?



Lee Li Pop


HI Pop's,
I think that Spiral is the person that knows what is going on.He is an expert in security,AND HE KNOWS,the vulnerabilities.I was looking his threads and you can see that he has knowledge.I think the point here is how to produce this patch to cover vulnerabilities as soon as we can!!!!OTHERWISE i think i will be forced from my host to REMOVE cs cart or update it,as i'm putting the security of my whole server at risk,using SP4.as i DON'T WANT TO UPGRADE(as others,i belive) the solution will be only one.change ecommerce software(thing that i don't want to do either,as i love Cs cart)
Number 1

 
  • wwgreen
  • Senior Member
  • Members
  • Join Date: 20-Nov 06
  • 411 posts

Posted 05 January 2010 - 01:26 PM #38

Everyone - Just a thought as this thread is beginning to turn sour... we're all on the same team here. No problem in holding accountable the comments made regarding a serious issue like cart security, but also not a place to crucify those who volunteer their time to assist peons like me. Let's keep it fair and helpful for the good of everyone.

 
  • Traveler
  • Senior Member
  • Members
  • Join Date: 02-Feb 07
  • 899 posts

Posted 05 January 2010 - 03:27 PM #39

Everyone - Just a thought as this thread is beginning to turn sour... we're all on the same team here. No problem in holding accountable the comments made regarding a serious issue like cart security, but also not a place to crucify those who volunteer their time to assist peons like me. Let's keep it fair and helpful for the good of everyone.


WWgreen,

I agree with you.

I have a CS cart running with 1.3.5 sp4 with no known security problems, and my host is very security minded.

If anyone at all has knowledge of security issues I personally believe they have a moral obligation to report them with as much detail as possible to the developers who more likely than not will quickly issue a patch as they have in the past.

If someone actually posts of security problems then I feel that they certainly have a moral obligation to report the issues to the developers.

If they do not provide the developers with all the information then very politely and softly I would suggest that the issues do not exist.

As the only alternative is too sad to think of or even suggest - being that someone knowingly withholds information that can hurt us all.

Lee Li's post is very good: short, business-like and to the point.

Lets have hard cold IT facts not rambling mysterious warnings with no verifiable data.

Again CS Cart's development team is the place to provide the facts to.

I will be happy to donate $100 to the United Nation's children's fund if CS cart says that Spiral is indeed a genius and correct about 1.3.5 sp4 Maybe a number of us will make a small donation and we can do something quite nice as a group so that this thread becomes a positive one: Spiral becomes a hero, we are safe and starving children are fed and cared for. This would be a win/win solution.

So publicly and formally I am requesting Spiral to become a hero and really help us instead of shouting fire in a theater and scaring us....

I for one will give him the benefit of the doubt one last time and wait for CS cart's announcement about the new security patch's based on Spiral's research.

Unless of course - he has nothing of substance about the security of 1.3.5 sp4 to say...

Version 4.9.2


 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 05 January 2010 - 04:20 PM #40

I'm gonna chime in here.

I don't know Spiral or anyone else but JesseLee for that matter.

Spiral may know his ****, maybe not. I just think its a bit irresponsible to openly talk about security holes and get the community in an uproar and then only tell those who host with CyberLNC how to fix them. That's self serving in my opinion.

I don't think he needs to post them here, but I think he should tell CS-Cart about them so they may help the community and maybe release a patch/hot-fix.

Just my $.02

ps. BE Warned, if this thread starts to turn into a flame war, watch yourself...keep it respectful and courteous. Thank you.
Pimpin' skins since v1.0