[kmolchanov]

CS-Cart Security Bulletin #04042012

Release date: April 4, 2012
Affected CS-Cart versions: 1.3.5 and 2.x.x (all editions)
Bug severity: Critical

Summary
The update fixes a CS-Cart vulnerability that can result in a potential hacker having access to the software files.

Solution

• In your CS-Cart Help Desk account (https://www.cs-cart.com/helpdesk), open the File area page, then the Updates section.
• Download the prepare.php file for your CS-Cart version (http://kb.cs-cart.co...-cscart-version) to your local computer.
  Note: the patch is available only for authorized owners of CS-Cart Community, Professional and Multi-Vendor licenses.
• Upload the downloaded file to the CS-Cart root directory on your server replacing the existing prepare.php file.

Details
There has not been detected any case of exploiting this vulnerability so far. It has been discovered during routine security audit activities.

The details of the exploit are not to be published to avoid compromising our clients' CS-Cart installations.

Sharing the patched prepare.php file is not allowed on these Forums either.

Thank you.

[drahos.istvan]

Does this security bug effect the 3.0 RC releases?

[cavemin]

anyone can share this file ? i cant find

[JohnCarroll]

cavemin,
you will need to contact CS-Cart for the file as the first post stated that "Sharing the patched prepare.php file is not allowed on these Forums either."

John

[zeero6]

The file is there just like they say. If you can't access your helpdesk than you need to contact them

[tmv]

I have to inform just during last couple of days I was fighting with virus that infected all .js files in the site virus name JS:Redirector-PB. I have no idea how the site was infected, they say that only through FTP account. Probably the old version prepare.php could "help" with it. How do you think what security problem in the prepare.php was fixed?

[kogi]

tmv. Your service provider or yourself should be able to tell the infection vector by scanning the server logs.

There is no point in speculating until you find how your server was compromised.

[Lantan]

Hello,

I have to inform just during last couple of days I was fighting with virus that infected all .js files in the site virus name JS:Redirector-PB. I have no idea how the site was infected, they say that only through FTP account. Probably the old version prepare.php could "help" with it.

We are sorry to hear that your website was infected. You provided us with your FTP log (via our Customer Help Desk), that indicated that all the affected files were uploaded to your server by FTP. It means, that a hacker knew your FTP login and password.

There are dozens of ways in which they could be stolen. If you had your FTP login and password entered on the Upgrade settings page in your CS-Cart installation, then, yes, the vulnerability in the prepare.php file could be used for retrieving them. At the same time, there is no guarantee the FTP access were not stolen by a virus on your PC or in any other way.

Please get the full access log from your system administrator and send it to us via your personal Help Desk account. We will examine it and try to find out if your website was infected via the vulnerability in question.

How do you think what security problem in the prepare.php was fixed?

We fixed a vulnerability that can result in a potential hacker having access to the software files. I do not think it is a good idea to discuss it deeper on these Forums.

Thank you.

[tmv]

Thank you, Lantan.

Спасибо, на всякий случай.

I did have FTP credential in the Upgrade center settings. I will send you the log as you said.

As to discussing a virus infection here, in forum, maybe useful for other users, this problem may occur with everyone. Far be it from me to state that cs-cart is insecure, please, accept my apologizes if I did not express correct my question.

Thank you again.

Mikhail.

[tmv]

Sorry, I realized that this not correct threat to discuss my problem.

[kogi]

Have you cleared your cache?

[londonman]

how to detect the hacker by using this file ?

[Darius]

I have to inform just during last couple of days I was fighting with virus that infected all .js files in the site virus name JS:Redirector-PB. I have no idea how the site was infected, they say that only through FTP account. Probably the old version prepare.php could "help" with it. How do you think what security problem in the prepare.php was fixed?

Maybe you use Filezilla ftp client. My server was infected very same way. Ftp passwords in filezilla are not hashed stored as text...

[Lantan]

how to detect the hacker by using this file ?

Anyone, who is trying to access this file directly is not just a usual website visitor. The same applies to all other CS-Cart PHP files except index.php and admin.php.

[NairdaCart]

Maybe you use Filezilla ftp client. My server was infected very same way. Ftp passwords in filezilla are not hashed stored as text...

No matter what client you use the password in FTP is sent as clear text. If at all possible you should really use FTPS.

[whiplash13]

No matter what client you use the password in FTP is sent as clear text. If at all possible you should really use FTPS.

Correct they are sent in clear text but what Darius's point was that the FTP user/passwords are stored in most FTP clients as text on your computer so if your pc gets hacked they have your FTP pw's.

[applied]

Anyone, who is trying to access this file directly is not just a usual website visitor. The same applies to all other CS-Cart PHP files except index.php and admin.php.

Can you not put something in .htaccess to prevent such files being accessed directly?

[Lantan]

Can you not put something in .htaccess to prevent such files being accessed directly?

Hm, it seems nobody from us has not come to this idea, though it is obvious. Thank you for the tip!

We will use this way of protecting PHP files in next CS-Cart versions (not sure about 3.0.1).

Thank you.

[Adrian8]

It is best to use SFTP protocol and not use/disable FTP (which is not secure). One other tip to make your SFTP more secure is to change the default port number (can only be done if you have VPS or Dedicated server), pick a random which is not a port all ready in use. This can be configured on your SSH server settings -> Listen Port number, make sure you note down your new port number.

Example if you set your SSH server Port number to 444 then you would have to also set the same port on your client software when connecting.

[MichielTG]

anyone can share this file ? i cant find

Sharing the patched prepare.php file is not allowed on these Forums either. ......