Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Security Vulnerability In Cs-Cart 4.x.x Rate Topic   - - - - -

 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 956 posts

Posted 14 July 2016 - 11:01 AM #1

If you run CS-Cart 4.0.1 and newer, you could be affected. Hackers can gain access to your administration panel, if they know your admin script URL. If you didn’t rename your admin.php file after the installation, do it now.

 

I would feel a lot safer if my renamed admin wasn't STILL being sent to CS-Cart as part of license authentication.

 

By the way, I have uploaded the auth.pre.php

 

F#$K !!

 

The email advising me may have been a hoax.

It was installed for about 1 minute before I removed it again.

 

lol
Just realised that I had to download the fix from the real help desk.
Installed again but not sure of permissions.
Should they be 666 just like 'auth.php' is ???



 
  • Darius
  • Douchebag
  • Members
  • Join Date: 20-Apr 08
  • 3273 posts

Posted 14 July 2016 - 11:17 AM #2

Why this info is sent only by email and not in blog or here in forum ?



 
  • Traveler
  • Senior Member
  • Members
  • Join Date: 02-Feb 07
  • 899 posts

Posted 14 July 2016 - 11:17 AM #3

"renamed admin wasn't STILL being sent to CS-Cart as part of license authentication."

 

I thought they no longer did that after a certain version


Version 4.9.2


 
  • Traveler
  • Senior Member
  • Members
  • Join Date: 02-Feb 07
  • 899 posts

Posted 14 July 2016 - 11:18 AM #4

Why this info is sent only by email and not in blog or here in forum ?

 

And why is it not in my upgrade area? They should do what it takes to rush it out rent extra servers or whatever they need to do - simply make it happen - no excuses.


Version 4.9.2


 
  • imac
  • Head of Product
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 2074 posts

Posted 14 July 2016 - 11:19 AM #5

I would feel a lot safer if my renamed admin wasn't STILL being sent to CS-Cart as part of license authentication.

If you use one of the latest version (4.3.4 or later) it is not send. Here is the code.

'admin_uri' => str_replace(fn_get_index_script('A'), '',fn_url('', 'A', 'http')),

So don't worry about this.

And since 2014 we do not store any admin script names in Helpdesk, with no exceptions.


Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug

 
  • imac
  • Head of Product
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 2074 posts

Posted 14 July 2016 - 11:21 AM #6

And why is it not in my upgrade area? They should do what it takes to rush it out rent extra servers or whatever they need to do - simply make it happen - no excuses.

From Upgrade area you can get only upgrade to 4.3.9 - it will be there within next 30 minutes.

The easiest way is to apply patch - just upload auth.pre.php to app/controllers/common folder


Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug

 
  • Traveler
  • Senior Member
  • Members
  • Join Date: 02-Feb 07
  • 899 posts

Posted 14 July 2016 - 11:23 AM #7

From Upgrade area you can get only upgrade to 4.3.9 - it will be there within next 30 minutes.

The easiest way is to apply patch - just upload auth.pre.php to app/controllers/common folder

 

Yes, I looked for 4.3.9 it was not there and is getting late now (for me)... I will look again in 30 minutes.


Version 4.9.2


 
  • imac
  • Head of Product
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 2074 posts

Posted 14 July 2016 - 11:26 AM #8

Yes, I looked for 4.3.9 it was not there and is getting late now (for me)... I will look again in 30 minutes.

Traveler,

We've just enabled it. 


Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug

 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 956 posts

Posted 14 July 2016 - 11:27 AM #9

Are the permissions for the patch 666 ?

 

I panicked when I didn't see https://www.cs-cart.com/helpdesk

in the links, just some weird address starting http://sable.madmimi...



 
  • imac
  • Head of Product
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 2074 posts

Posted 14 July 2016 - 11:27 AM #10

Why this info is sent only by email and not in blog or here in forum ?

 

I'm working on post for the forum right now. Email notification was the number one priority.


Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug

 
  • imac
  • Head of Product
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 2074 posts

Posted 14 July 2016 - 11:30 AM #11

Are the permissions for the patch 666 ?

Permissions should be the same as for other PHP files in the same directory.

In secure server configuration it is 644.

 

Here is some info on permissions: http://docs.cs-cart....ermissions.html


Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug

 
  • Fishpaste
  • Junior Member
  • Members
  • Join Date: 11-Feb 11
  • 85 posts

Posted 14 July 2016 - 11:31 AM #12

I know it says in the email that this is just for versions 4.X.X - but I'm just double checking, can you confirm older versions 2.X.X etc are not effected by the flaw?
thanks



 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 956 posts

Posted 14 July 2016 - 11:33 AM #13

So all permissions for php in /public_html/app/controllers/common should be 644 ?

Asking because some in my folder are not.



 
  • imac
  • Head of Product
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 2074 posts

Posted 14 July 2016 - 11:42 AM #14

I know it says in the email that this is just for versions 4.X.X - but I'm just double checking, can you confirm older versions 2.X.X etc are not effected by the flaw?
thanks

Yes, I confirm. 3.x.x & 2.x.x are not affected even though hacker knows you admin URL.


Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug

 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 956 posts

Posted 14 July 2016 - 11:45 AM #15

So all permissions for php in /public_html/app/controllers/common should be 644 ?

Asking because some in my folder are not.

 

I assume your answer would have been yes.



 
  • imac
  • Head of Product
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 2074 posts

Posted 14 July 2016 - 11:47 AM #16

So all permissions for php in /public_html/app/controllers/common should be 644 ?

Asking because some in my folder are not.

All PHP files should be 644.

but I would like to note that at the moment file permissions are not the case.

It's just the right secure hosting of any web application.


Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug

 
  • zeero6
  • Senior Member
  • Members
  • Join Date: 25-Jan 07
  • 649 posts

Posted 14 July 2016 - 01:06 PM #17

Thanks. Upgrade done


Version 4.9.3 SP1


 
  • gasngrills
  • Senior Member
  • Members
  • Join Date: 23-Feb 08
  • 247 posts

Posted 14 July 2016 - 01:31 PM #18

 Thank you for the heads up, applied patch to all my stores. is 4.3.9 upgrade only for this issue?

 

Joe


CS-Cart 4.9.1


 
  • judoscott
  • Advanced Member
  • Members
  • Join Date: 19-Mar 16
  • 94 posts

Posted 14 July 2016 - 01:32 PM #19

I don't see any patches when I log in. Is this for all versions? We're using multi vendor



 
  • imac
  • Head of Product
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 2074 posts

Posted 14 July 2016 - 01:33 PM #20

 Thank you for the heads up, applied patch to all my stores. is 4.3.9 upgrade only for this issue?

 

Joe

4.3.9 Also have a some ordinary bugfixes. We will publish changelog a bit later.


Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug