Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Security update available for CS-Cart 1.3.5 and 2.x.x Rate Topic   * * * * * 1 votes

 
  • kmolchanov
  • CS-Cart team
  • Join Date: 06-May 11
  • 1313 posts

Posted 05 April 2012 - 11:34 AM #1

CS-Cart Security Bulletin #04042012

Release date: April 4, 2012
Affected CS-Cart versions: 1.3.5 and 2.x.x (all editions)
Bug severity: Critical

Summary
The update fixes a CS-Cart vulnerability that can result in a potential hacker having access to the software files.

Solution
  • In your CS-Cart Help Desk account (https://www.cs-cart.com/helpdesk), open the File area page, then the Updates section.
  • Download the prepare.php file for your CS-Cart version (http://kb.cs-cart.co...-cscart-version) to your local computer.
    Note: the patch is available only for authorized owners of CS-Cart Community, Professional and Multi-Vendor licenses.
  • Upload the downloaded file to the CS-Cart root directory on your server replacing the existing prepare.php file.
Details
There has not been detected any case of exploiting this vulnerability so far. It has been discovered during routine security audit activities.

The details of the exploit are not to be published to avoid compromising our clients' CS-Cart installations.

Sharing the patched prepare.php file is not allowed on these Forums either.

Thank you.

Konstantin Molchanov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug


 

Posted 05 April 2012 - 01:51 PM #2

Does this security bug effect the 3.0 RC releases?

 
  • cavemin
  • Advanced Member
  • Banned
  • Join Date: 26-Jan 12
  • 101 posts

Posted 05 April 2012 - 02:19 PM #3

anyone can share this file ? i cant find

 

Posted 05 April 2012 - 02:51 PM #4

cavemin,
you will need to contact CS-Cart for the file as the first post stated that "Sharing the patched prepare.php file is not allowed on these Forums either."

John
John Carroll
My Webshop: Alpha Spas

 
  • zeero6
  • Senior Member
  • Members
  • Join Date: 25-Jan 07
  • 649 posts

Posted 05 April 2012 - 03:14 PM #5

The file is there just like they say. If you can't access your helpdesk than you need to contact them

Version 4.9.3 SP1


 
  • tmv
  • Member
  • Members
  • Join Date: 14-Sep 07
  • 148 posts

Posted 06 April 2012 - 09:31 AM #6

I have to inform just during last couple of days I was fighting with virus that infected all .js files in the site virus name JS:Redirector-PB. I have no idea how the site was infected, they say that only through FTP account. Probably the old version prepare.php could "help" with it. How do you think what security problem in the prepare.php was fixed?

 
  • kogi
  • Senior Member
  • Members
  • Join Date: 16-Aug 07
  • 620 posts

Posted 06 April 2012 - 11:21 AM #7

tmv. Your service provider or yourself should be able to tell the infection vector by scanning the server logs.

There is no point in speculating until you find how your server was compromised.
find / -type f -name '*.base' -exec chown kogi.kogi {} \;

 
  • Lantan
  • CVO
  • Administrators
  • Join Date: 31-Aug 05
  • 240 posts

Posted 06 April 2012 - 11:21 AM #8

Hello,

I have to inform just during last couple of days I was fighting with virus that infected all .js files in the site virus name JS:Redirector-PB. I have no idea how the site was infected, they say that only through FTP account. Probably the old version prepare.php could "help" with it.

We are sorry to hear that your website was infected. You provided us with your FTP log (via our Customer Help Desk), that indicated that all the affected files were uploaded to your server by FTP. It means, that a hacker knew your FTP login and password.

There are dozens of ways in which they could be stolen. If you had your FTP login and password entered on the Upgrade settings page in your CS-Cart installation, then, yes, the vulnerability in the prepare.php file could be used for retrieving them. At the same time, there is no guarantee the FTP access were not stolen by a virus on your PC or in any other way.

Please get the full access log from your system administrator and send it to us via your personal Help Desk account. We will examine it and try to find out if your website was infected via the vulnerability in question.

How do you think what security problem in the prepare.php was fixed?

We fixed a vulnerability that can result in a potential hacker having access to the software files. I do not think it is a good idea to discuss it deeper on these Forums.

Thank you.
Alex Vinokurov,
Chief Visionary Officer at CS-Cart & Twigmo

 
  • tmv
  • Member
  • Members
  • Join Date: 14-Sep 07
  • 148 posts

Posted 06 April 2012 - 01:39 PM #9

Thank you, Lantan.

Спасибо, на всякий случай.

I did have FTP credential in the Upgrade center settings. I will send you the log as you said.

As to discussing a virus infection here, in forum, maybe useful for other users, this problem may occur with everyone. Far be it from me to state that cs-cart is insecure, please, accept my apologizes if I did not express correct my question.

Thank you again.

Mikhail.

 
  • tmv
  • Member
  • Members
  • Join Date: 14-Sep 07
  • 148 posts

Posted 06 April 2012 - 07:49 PM #10

Sorry, I realized that this not correct threat to discuss my problem.

 
  • kogi
  • Senior Member
  • Members
  • Join Date: 16-Aug 07
  • 620 posts

Posted 06 April 2012 - 10:43 PM #11

Have you cleared your cache?
find / -type f -name '*.base' -exec chown kogi.kogi {} \;

 
  • londonman
  • Member
  • Members
  • Join Date: 27-Oct 10
  • 209 posts

Posted 07 April 2012 - 05:32 AM #12

how to detect the hacker by using this file ?

 
  • Darius
  • Douchebag
  • Members
  • Join Date: 20-Apr 08
  • 3299 posts

Posted 08 April 2012 - 12:49 PM #13

I have to inform just during last couple of days I was fighting with virus that infected all .js files in the site virus name JS:Redirector-PB. I have no idea how the site was infected, they say that only through FTP account. Probably the old version prepare.php could "help" with it. How do you think what security problem in the prepare.php was fixed?


Maybe you use Filezilla ftp client. My server was infected very same way. Ftp passwords in filezilla are not hashed stored as text...

 
  • Lantan
  • CVO
  • Administrators
  • Join Date: 31-Aug 05
  • 240 posts

Posted 09 April 2012 - 08:58 AM #14

how to detect the hacker by using this file ?

Anyone, who is trying to access this file directly is not just a usual website visitor. The same applies to all other CS-Cart PHP files except index.php and admin.php.
Alex Vinokurov,
Chief Visionary Officer at CS-Cart & Twigmo

 
  • NairdaCart
  • Senior Member
  • Members
  • Join Date: 18-Jul 11
  • 306 posts

Posted 09 April 2012 - 01:49 PM #15

Maybe you use Filezilla ftp client. My server was infected very same way. Ftp passwords in filezilla are not hashed stored as text...


No matter what client you use the password in FTP is sent as clear text. If at all possible you should really use FTPS.

 
  • whiplash13
  • PM Extraordinaire
  • Members
  • Join Date: 01-Feb 08
  • 704 posts

Posted 09 April 2012 - 08:33 PM #16

No matter what client you use the password in FTP is sent as clear text. If at all possible you should really use FTPS.


Correct they are sent in clear text but what Darius's point was that the FTP user/passwords are stored in most FTP clients as text on your computer so if your pc gets hacked they have your FTP pw's.
John
CS Cart 4.2.4

 
  • applied
  • Advanced Member
  • Members
  • Join Date: 05-Aug 11
  • 69 posts

Posted 13 April 2012 - 07:07 PM #17

Anyone, who is trying to access this file directly is not just a usual website visitor. The same applies to all other CS-Cart PHP files except index.php and admin.php.

Can you not put something in .htaccess to prevent such files being accessed directly?

 
  • Lantan
  • CVO
  • Administrators
  • Join Date: 31-Aug 05
  • 240 posts

Posted 15 April 2012 - 02:16 PM #18

Can you not put something in .htaccess to prevent such files being accessed directly?

Hm, it seems nobody from us has not come to this idea, though it is obvious. Thank you for the tip!

We will use this way of protecting PHP files in next CS-Cart versions (not sure about 3.0.1).

Thank you.
Alex Vinokurov,
Chief Visionary Officer at CS-Cart & Twigmo

 
  • Adrian8
  • Junior Member
  • Members
  • Join Date: 04-Feb 11
  • 138 posts

Posted 16 April 2012 - 11:40 AM #19

It is best to use SFTP protocol and not use/disable FTP (which is not secure). One other tip to make your SFTP more secure is to change the default port number (can only be done if you have VPS or Dedicated server), pick a random which is not a port all ready in use. This can be configured on your SSH server settings -> Listen Port number, make sure you note down your new port number.

Example if you set your SSH server Port number to 444 then you would have to also set the same port on your client software when connecting.
www.ecopolar.com - V2.1.4
www.ledpolar.com - V2.2.4

 
  • MichielTG
  • Advanced Member
  • Members
  • Join Date: 17-Aug 12
  • 65 posts

Posted 24 August 2012 - 10:50 AM #20

anyone can share this file ? i cant find


Sharing the patched prepare.php file is not allowed on these Forums either. ......