On Monday, April 7th, a major vulnerability in OpenSSL was discovered. The severity of this exploit could expose your customer(s) credit card information, as well as usernames and passwords.
For anyone hosting their own server with payment processing directly on their site, it is important that you update OpenSSL on your server. Furthermore, you should regenerate your SSL certificates ASAP.
For more information on this vulnerability:
[url=“http://heartbleed.com/”]http://heartbleed.com/[/url]
To find out if your server is vulnerable, visit:
[url=“http://filippo.io/Heartbleed”]http://filippo.io/Heartbleed[/url]
This exploit was only announced yesterday but was been present in the OpenSSL codebase for over 2 years. If you are found vulnerable, the only way to close this hole with absolute certainty is to patch and regenerate your SSL certificates.
Applies only to self-signed certificates, correct?
[quote name='tbirnseth' timestamp='1396939713' post='181223']
Applies only to self-signed certificates, correct?
[/quote]
I don't recall reading that anywhere. I've tested a few sites running CS-Cart from this forum and there are definitely some affected.
taken from PC World:
The vulnerable versions of OpenSSL are 1.0.1 through 1.0.1f with two exceptions: OpenSSL 1.0.0 branch and 0.9.8, according to a special website set up by researchers who found the problem.
If exploited, the flaw could allow attackers to monitor all information passed between a user and a Web service or even decrypt past traffic they’ve collected.
“This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users,†the researchers wrote.
The bug was discovered by three researchers from Codenomicon, a computer security company, and Neel Mehta, who works on security for Google.
The scope of the problem is vast, as many modern operating systems are suspected as having an affected OpenSSL version.
Operating systems that may have a vulnerable version of OpenSSL include Debian Wheezy, Ubuntu 12.04.4 LTS, CentOS 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2, they wrote.
Went to the lastpass and it says we need to respond.
According to Future Hosting (our host), here is what they posted:
“As this vulnerability has existed for a long time and it is not possible to know whether it has been exploited, you should use your control panel or OpenSSL tools to generate a new private key and certificate request for each certificate you have on your server. Then, use the “re-key” feature at your SSL certificate provider to generate a new certificate based on the new CSR file. If your SSL
private key was able to be downloaded through the exploit, someone on the Internet might be able to view encrypted data when it is transmitted to or from your server or fool users into using a fake web site with your actual SSL certificate on it. You should not publish a new certificate until_ after_ you have applied the fix for your system.”
I am waiting to hear back from them, but from what I can see it does look like it affects more than self-signed certs. Can anyone else confirm this?
Run the test on your site and it should tell you whether your site is vulnerable or not.
That being said, you should re-generate any private/public keys you might have in use for SSH or other encryption since those will be outside the 'https' protocol.
Since it is only the 1.0.1 through 1.0.1f implimentations of Openssl that are affected, in addition to using the websites already listed, you can double check which version your server is using this way:
Your admin panel > Administration > Database > phpinfo > ctrl + f (cmd + f for OS X users) type: openssl > enter
Your servers installed Openssl version number should show on the second or third entry depending on the setup.
It would be helpful if the CS-Cart team sent an email to their client database (as other software vendors have) to alert everyone to the issue and explain how to check, and if affected what to do. Many people in shared hosting environments need only contact their webhost and demand them to take immediate action.
CS-Cart isn’t obligated to do this, but in the interest of reducing the obvious privacy/security risks to all netizens it’s a quick, easy and responsible step to take.
It seems the media has jumped on heartbleed, albeit in a sensational way. Hopefully all this focus on SSL will pave the way to better standards and help to educate average internet users on how important encryption is.
This forum isn’t secured, that’s why I’ve always worn my tin foil hat 
Quick Edit: Here is a link to useful information: http://digital-foren…s-simulcast-etc
The second paragraph has a PDF (tested clean on virustotal) of a presentation by the security researcher “Malware Jack” that are clear, explicit and definitely worth reading by everyone here, especially people administering their own servers.
Will it be affecting the current versions of cs-cart?
[quote name='NaMo' timestamp='1397334643' post='181623']
Will it be affecting the current versions of cs-cart?
[/quote]
It should be server related but not the script. You can check with your hosting to see if they have taken care of this problem.
You need to update your openssl package, actually.
[color=#000000][font=Arial, sans-serif][size=3]For CentOS:[/size][/font][/color]
[color=#000000][font=Arial, sans-serif][size=3]yum clean all[/size][/font][/color]
[color=#000000][font=Arial, sans-serif][size=3]yum update openssl[/size][/font][/color]
[color=#000000][font=Arial, sans-serif][size=3]service httpd restart[/size][/font][/color]
[color=#000000][font=Arial, sans-serif][size=3]For Debian:[/size][/font][/color]
[color=#000000][font=Arial, sans-serif][size=3]apt-get update[/size][/font][/color]
[color=#000000][font=Arial, sans-serif][size=3]apt-get install openssl[/size][/font][/color]
[color=#000000][font=Arial, sans-serif][size=3]/etc/init.d/apache2 restart[/size][/font][/color]
The openssl package may or may not need to be updated. That's why the version should be checked.
If it is updated, then any email, ssh, or other passwords generated on the site should be recreated and changed.
Best thing is to contact your hosting provider and find out if your site was affected or vulnerable during any prior period.
If so, have them fix it (should already be done) and then change all your passwords for email, ssh, or anything else that uses a security certificate to gain access.