Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Security Vulnerability On This Forum. Empty File Download. Rate Topic   - - - - -

 
  • imac
  • CEO
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 2077 posts

Posted 19 August 2015 - 07:00 AM #1

Hello,

During period July 30 - August 10 - there was a malicious code on the forum - when you viewed some topic a 0-size pdf file was downloaded.
This reasons were:
1) Mozilla Firefox vulnerability
2) IPB forum vulnerability

Do I have to worry:
Yes, if you had the following:
- Windows or Linux OS,
- Firefox browser
- and downloaded this file (see example of how it looked in this thread)

So if you've got this empty file download, we recommend to change all the passwords that stored locally, especially for FTP account programs like FileZilla etc.

More details on vulnerability and what data could be stolen see in Mozilla official report: https://blog.mozilla...nd-in-the-wild/

P.S. At the moment we are updating IPB forum and will roll out latest version within 1-2 days.
Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug
 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 1023 posts

Posted 31 August 2015 - 11:54 PM #2

To clarify.

Windows or Linux OS

AND

Firefox.

 

I use Windows and Chrome ( or IE )

so can I presume I was safe ?


 
  • imac
  • CEO
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 2077 posts

Posted 01 September 2015 - 11:28 AM #3

To clarify.
Windows or Linux OS
AND
Firefox.
 
I use Windows and Chrome ( or IE )
so can I presume I was safe ?

Yes, only Firefox was vulnerable.
Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug
 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 1023 posts

Posted 01 September 2015 - 11:11 PM #4

Thank you imac.

I wonder just how splendid software would be if developers didn't have to spend so much time

on security issues.


 

Posted 11 September 2015 - 04:14 PM #5

From Mozilla Security Blog, August 6, 2015:

 

"Update: we’ve now seen variants that do have a Mac section, looking for much the same kinds of files as on Linux."

 

https://blog.mozilla...comment-page-1/


Pro Computer
 
  • stuball
  • Newbie
  • Trial users
  • Join Date: 04-Oct 13
  • 4 posts

Posted 11 September 2015 - 05:53 PM #6

It may help to use the FireFox history feature to confirm whether you visited the forums during the affected dates,  Click on the three line "hamburger" icon, History, then Show All History. Right-click the header to display Most Recent Visit column if not already enabled. In the Search History tool type forum. This should show you - among others - any access to the CS-Cart forums.

 

Unfortunately, the Added column does not seem to work in my browser, only Most Recent Visit, but in my case this was enough to confirm that I did not use FireFox to visit CS-Cart forums from July 27th through August 10th 2015. 


 
  • P-Pharma
  • Junior Member
  • Members
  • Join Date: 30-Jun 10
  • 1139 posts

Posted 16 September 2015 - 11:47 PM #7

Is the forum now using the last version of IPB3: 3.4.8?

Are you planning to update to IPB4 or the upcoming 4.1 to keep this forum current and secure?


 
  • arteeni
  • Advanced Member
  • Members
  • Join Date: 07-Aug 15
  • 85 posts

Posted 01 November 2015 - 06:40 PM #8

Question on this: if my FF was set to save pdfs instead of open them in the browser, would I have been affected by this?


Arteeni - a marketplace for artisan, handmade goods, with a charitable twist.

Back to Security
  1. CS-Cart Community Forums
  2. > CS-Cart in detail
  3. > Security