SmartOptimizer Source Code Disclosure Vulnerability

Hello All,

[QUOTE]Francois Harvey has reported a vulnerability in SmartOptimizer, which can be exploited by malicious people to disclose potentially sensitive information.



The vulnerability is caused due to an error within the handling of HTTP requests containing a NULL character (“%00”) and can be exploited to disclose the source code of certain scripts (e.g. .PHP) by including “%00” in the request.



The vulnerability is reported in version 1.7. Other versions may also be affected.[/QUOTE]

Source: [url]About Secunia Research | Flexera



Upgrade your copy of SmartOptimizer to 1.8!



[url]http://farhadi.ir/works/smartoptimizer[/url]





Lee Li Pop

Thanks, Site upgraded with 1.8.

Appears that 1.8 also has massive speed improvements.

[quote name=‘JesseLeeStringer’]Thanks, Site upgraded with 1.8.

Appears that 1.8 also has massive speed improvements.[/QUOTE]



Hey! My upgrading speed is quite good too!





Lee Li Pop

Sorry, but I do I upgrade, just copy the files over the old ones or is there something else that needs to be done?

Thanks,

Tania

[quote name=‘E.Qi.Librium’]Sorry, but I do I upgrade, just copy the files over the old ones or is there something else that needs to be done?

Thanks,

Tania[/QUOTE]



Seems overwrite old files with the new ones is enough. However, backup your old files before upgrade!





Lee Li Pop

oh boy, now it ruined my shop… had to take it off untill I figure out what to do

Works fine from my side. However, it seems you’ve changed your .htaccess, because, http://gtmetrix.com reports no Gzip on CSS and JS





Lee Li Pop

I’m working on it, in order to see what was breaking my site I had to remove everything and put it back again one by one.



And I can’t seem to be able to do it, there is some kind of incompatibility with the new .htaccess piece of code

OK, I had this issue. Quite easy to fix it:



Clean your cache directory:

[QUOTE]/smartoptimizer/cache/[/quote]







Lee Li Pop

Done that, but still breaks the design completely, also, it was not generating any cache in the cache folder of smartoptimizer, can’t figure out what is going on, but thanks anyway

There is an issue with it breaking css. I haven’t figured it out yet.

When you do please, please share

Salut lee,

are you using concatenation feature with smartoptimizer?



thanks for the post easy update but for me in 1.3.5 works only without the .htaccess in the folder smartoptimizer/



with the htaccess it’s breaking css and cache/ folder is empty



saludos

…just my opinion. I think, CS-Cart works very well without any third party scripts and it’s just a question of your server speed and configuration. I don’t think some “big guys” would use ‘Smart Optimizer’ for their online shops. And if you are happy to win some 0.xx ms with this script by xxx products… it’s not valuable.



I know, it’s great for a Joomla or Wordpress site, but not for CS-Cart, not for Magento, and not for OpenCart with xxx+ produts, filters, and so on.

I don’t agree with you Indy. My site loads at least twice as fast if Smartoptimizer is turned on.



According to Pingdom, my site will average about 15 seconds without Smartoptimizer and will average 5 - 7 seconds with Smartoptimizer.



That is a pretty huge difference to me.



This is using CS-Cart 2.1.1



As for what the big guys use or don’t use, does it matter? All that matters is that I want my site to load as quickly as it can by whatever means necessary.



I agree that the big guys probably don’t use Smartoptimizer, but they aren’t using CS-Cart either, so you take that however you want. If you are raking in millions of dollars I’m sure you can afford a custom coded site optimized however you want by a huge team of people.



Since I’m not quite to the millions of dollars yet, I’ll just stick with Smartoptimizer.



@Lee Li



Thank you for posting about the Smartoptimizer update. I probably wouldn’t have ever known without you posting it. I’ll have to look at upgrading when I upgrade to 2.1.2.



Brandon

I know, I didn’t make any tests at the moment regarding SmartOptimizer, but I don’t really believe there is the problem. As I said in the first place it is the speed and cofiguration of the server you are on.

Remove the file /smartoptimizer/.htaccess to fix the problem with broken css.

I agree, I had problems with the smartoptimizer/.htaccess file as well. Once I removed the file everything worked perfect.



What is the smartoptimizer/.htaccess file for anyways? Is it something that is ok to remove?



Brandon

[quote name=‘brandonvd’]I agree, I had problems with the smartoptimizer/.htaccess file as well. Once I removed the file everything worked perfect.



What is the smartoptimizer/.htaccess file for anyways? Is it something that is ok to remove?



Brandon[/QUOTE]



Hello Brandon,



I believe it should only be used if you do not already have an existing .htaccess file in place, otherwise you just add the smartoptimizer related lines to your existing .htaccess.



So, basically what Tool is saying is that he totally screwed things up by attempting to run two .htaccess files!

[quote name=‘Struck’]Hello Brandon,



I believe it should only be used if you do not already have an existing .htaccess file in place, otherwise you just add the smartoptimizer related lines to your existing .htaccess.



So, basically what Tool is saying is that he totally screwed things up by attempting to run two .htaccess files! :D[/QUOTE]





Cute but wrong.



If you look at the content, they are trying to adjust configurations…nothing to do with making SO work.

php_flag zlib.output_compression Off
php_flag output_buffering Off
php_value output_handler NULL