Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Important: CS-Cart security patch has been released. Rate Topic   - - - - -

 
  • zeke
  • Megamind
  • Administrators
  • Join Date: 01-Nov 05
  • 472 posts

Posted 19 February 2007 - 02:51 PM #1

Dear CS-Cart users,

our company has just released a security patch which eliminates issues with arbitrary orders list viewing.

Although there is no way to view the detailed order information, it is strongly recommended to apply it to all your existing CS-Cart installations to avoid unauthorized viewing of your customers orders list.

Please download an appropriate version patch file from your File area and use it to overwrite /include/customer/orders.php script at all your CS-Cart stores.

Another way to update your store is to edit /include/customer/orders.php script manually .

Find the following text there:

} elseif (!empty($auth['order_ids'])) {
        $query = "$db_tables[orders].order_id IN (".implode(',', $auth['order_ids']).")";
}

and replace it with this one:

} elseif (!empty($auth['order_ids'])) {
        $query = "$db_tables[orders].order_id IN (".implode(',', $auth['order_ids']).")";
} else {
 fn_set_exception('access_denied');
}

Feel free to contact our support team if you experience any problems or have any questions related to this issue.

 
  • ZulloP
  • Member
  • Banned
  • Join Date: 15-Jan 06
  • 48 posts

Posted 19 February 2007 - 03:01 PM #2

thank you.

 
  • recedo
  • Senior Member
  • Members
  • Join Date: 24-Apr 06
  • 498 posts

Posted 19 February 2007 - 03:08 PM #3

Am I right in thinking this is only a problem with 1.3.4? I'm running 1.3.3, am I safe?

Thanks
Simon

 
  • zeke
  • Megamind
  • Administrators
  • Join Date: 01-Nov 05
  • 472 posts

Posted 19 February 2007 - 03:19 PM #4

Am I right in thinking this is only a problem with 1.3.4? I'm running 1.3.3, am I safe?


CS-Cart 1.3.3 also needs to be patched (patch if available in Customers Help Desk File Area, manual patching is the same as for 1.3.4).

 
  • recedo
  • Senior Member
  • Members
  • Join Date: 24-Apr 06
  • 498 posts

Posted 19 February 2007 - 03:24 PM #5

okay, thanks

Simon

 
  • MikeK
  • Senior Member
  • Members
  • Join Date: 26-Apr 06
  • 434 posts

Posted 19 February 2007 - 03:42 PM #6

Thank you for your prompt attention to this problem.

Very much appreciated.

MikeK

 
  • ryan
  • Member
  • Members
  • Join Date: 05-Dec 05
  • 79 posts

Posted 19 February 2007 - 03:52 PM #7

Does this affect older versions as well (still using 1.3.0)

 
  • fenwick
  • Senior Member
  • Members
  • Join Date: 27-Dec 05
  • 219 posts

Posted 20 February 2007 - 05:44 PM #8

Thanks for the update however my orders.php file does not contain that text!
I recently had the cs-cart folks upgrade me from v1.2 to 1.3.4sp2 (supposedly)
I just opened a ticket with the help desk and got a reply of "looks like you're running v1.3.3"
Hmmmmm...you upgraded me to 1.3.4sp2 but it looks like I'm running 1.3.3????
Anyone have anything similar?
Thanks,
Eric
Eric
Bella Home Fashions
CS-Cart v2.0.15

 
  • fenwick
  • Senior Member
  • Members
  • Join Date: 27-Dec 05
  • 219 posts

Posted 23 February 2007 - 12:34 AM #9

Well,
I'm a complete idiot.
Just found out I was looking at a back up of ".../orders.php"
Dohhhhh!
Eric
Eric
Bella Home Fashions
CS-Cart v2.0.15