Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Update: Critical Vulnerability In Phpmailer Library. Should Be Fixed Asap Rate Topic   - - - - -

 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 963 posts

Posted 01 January 2017 - 10:24 PM #21

There is no /var/log folder at all.

I can't attach a screenshot at all in this reply.

 

btw ?dispatch=tools.view_changes has revealed no core file changes.



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11384 posts

Posted 02 January 2017 - 03:49 AM #22

If you are on a Linux server you will have a /var/log. This is not the same as var/log which would be relative to the root of your store and probably doesn't exist..

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 963 posts

Posted 02 January 2017 - 09:54 AM #23

I guess the CS-Cart support team will have a look when they fix what they broke.

'Maybe' it was me changing to php 7.0, having the cart stop working then changing back to php 5.6

Who knows.



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11384 posts

Posted 02 January 2017 - 10:26 PM #24

1) they didn't break it.  It is open-source software used at millions of sites (cs-cart is but a very small percentage).  The vulnerability has been there since day one of that open-source project's release.

2) The odds of you suddenly being affected by this vulnerability is next to zero.  And believing that this vulnerability does anything to impact the operation of the cart itself is incorrect..

 

If exploited, you would probably see a large increase in your site traffic (no, it wasn't your astute marketing).  It would be spammers using your cart to send email.

 

It is a hole that would require quite a bit of specific cs-cart knowledge to exploit.  Cs-cart is way too small a market share for a spammer to spend the time figuring out how to exploit it with cs-cart.  One of the advantages of being a small player.  Just do the upgrade and the one-line change will be there.  The whole package was released so I'm assuming there are a lot of other defect corrections that go along with the SP release.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 963 posts

Posted 02 January 2017 - 10:42 PM #25

Whatever the reason for my php mailer not sending emails, it occurred after the cart was upgraded.

This is a fact. As to why I am only guessing.



 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 963 posts

Posted 03 January 2017 - 07:23 AM #26

Changed from php NON mail function to sendmail function and it worked but
when I tried php mail again it WORKED ????
Haunted script ??

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11384 posts

Posted 03 January 2017 - 07:31 PM #27

sendmail is okay, but it doesn't require any authentication and hence relies on a paramter to identify the sender.  It's not as secure as smtp and your emails could be filtered out by spam agents.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • johnbol1
  • Never Re
  • Members
  • Join Date: 23-Feb 10
  • 4655 posts

Posted 03 January 2017 - 07:43 PM #28

Having applied the update, a couple days ago, I now have this error when changing order status, I have never seen before, dont think it would take a couple of days to raise its head. Anyone else have same problem
 
Mailer Error: SMTP connect() failed. https://github.com/P...Troubleshooting[/size]
 
Then when changing to PHP mail, get error below..poss server error anyone ?

 

ErrorMessage could not be sent.
Mailer Error: Could not instantiate mail function


Custom printed hi visibility clothing sale the UK's online hivis safety shop
v4.5.2


 
  • johnbol1
  • Never Re
  • Members
  • Join Date: 23-Feb 10
  • 4655 posts

Posted 03 January 2017 - 08:13 PM #29

Having applied the update, a couple days ago, I now have this error when changing order status, I have never seen before, dont think it would take a couple of days to raise its head. Anyone else have same problem
 
Mailer Error: SMTP connect() failed. https://github.com/P...Troubleshooting[/size]
 
Then when changing to PHP mail, get error below..poss server error anyone ?

 

ErrorMessage could not be sent.
Mailer Error: Could not instantiate mail function

I have asked my host to look into this and after going back and forth, it was merely a password problem.

 

Sorted!


Custom printed hi visibility clothing sale the UK's online hivis safety shop
v4.5.2


 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 04 January 2017 - 06:11 PM #30

Hi All

 

I have installed both patches to 4.4.2 and over the last few days I have had several customers ring to check their order (STATUS).

They haven't been getting any emails at all,

 

May be pure coincidence, but may be not.

 

I have also looked in my Order Statuses and discovered that there is no TICK BOX for notify customer, but if you look HERE there should be one.

I am pretty sure it was there before! I haven't made any other changes.

 

Any ideas please.

 

Thanks in advance

Barry


BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • johnbol1
  • Never Re
  • Members
  • Join Date: 23-Feb 10
  • 4655 posts

Posted 04 January 2017 - 06:15 PM #31

I applied the patch and check box is still there for order status P


Custom printed hi visibility clothing sale the UK's online hivis safety shop
v4.5.2


 
  • straygecko
  • Advanced Member
  • Members
  • Join Date: 01-May 13
  • 93 posts

Posted 04 January 2017 - 06:22 PM #32

The first thing should be checked is wether sendmail is used as Mail Agent on your server. Accordingly to this statistics: Mail (MX) Server over 86% web servers in the internet are not affected by this vulnerability. It is because Postfix, Exim do not allow to use vulnerable parameters.

 

Anyway our tech support will check this for you.

Also if you are using SMTP you are not affected by this.  i.e. Your Settings: E-Mails has Method of sending e-mails set to via SMTP server.  As most hosts these days require using SMTP to send emails so they can track accounts sending spam most likely you are already configured this way.

 

https://github.com/P...vulnerabilities

 

"You are also safe if you're using PHPMailer's SMTP transport (i.e. you call $mail->isSMTP() in your code), as that transport does not execute shell commands."



 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 04 January 2017 - 06:30 PM #33

I applied the patch and check box is still there for order status P

Thanks John

 

Very strange, *Edit. I only have one tick box from list below which is the supplier. Order Status P

 

In the data base I have

Notify

Notify_department

Notify_supplier

 

I assume the plain Notify is the customer and all are set to ticked/yes

 

Hope this is a coincidence coz I can't tick any box for customer

 

Barry


BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • straygecko
  • Advanced Member
  • Members
  • Join Date: 01-May 13
  • 93 posts

Posted 04 January 2017 - 06:42 PM #34


I have also looked in my Order Statuses and discovered that there is no TICK BOX for notify customer, but if you look HERE there should be one.

I am pretty sure it was there before! I haven't made any other changes.

 

 

From the page you linked to "Properties marked with * won’t appear if you enable the email template editor. In that case you’re supposed to manage email notifications related to order statuses via the email template editor."  Notify customer is marked with a *



 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 04 January 2017 - 07:41 PM #35

From the page you linked to "Properties marked with * won’t appear if you enable the email template editor. In that case you’re supposed to manage email notifications related to order statuses via the email template editor."  Notify customer is marked with a *

 

DOH!

 

Thanks for that, I should have read all of it!!!! Doesn't answer question of why emails don't seem to be being sent. Time will tell and I'll do some testing

 Thanks again John and straygecko


BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 963 posts

Posted 05 January 2017 - 12:15 PM #36

BarryH. My cart ( 4.3.9 ) php mailer suddenly stopped sending order notifications even though the right boxes were ticked.

Maybe it was the patch or a recent upgrade but not 100% sure. Out of the blue it just started working again...lol



 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 05 January 2017 - 04:36 PM #37

Termalert.

 

Yeah had been following the posts on here and when I got calls I thought it was best place to post.

 

Have tested emails and they appear to be going, maybe I just have some NON-TECHY customers? LOL

 

Thanks

Barry


BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • Lesiu
  • Newbie
  • Trial users
  • Join Date: 26-Sep 12
  • 8 posts

Posted 10 January 2017 - 03:40 PM #38

I have a problem with store. It doesn't send e-mails any more, but it used to do it some time ago (last order with e-mail sent 20/12/2016). I had 4.4.2 from 07/12/2016. Then I updated store to 4.4.2 SP2 and e-mails stopped to be sent. I'm using SMTP method. When I create new admin account and I have "inform user" checked I get this error "Mailer Error: SMTP connect() failed. https://github.com/P...Troubleshooting".



 
  • markhedley
  • Advanced Member
  • Trial users
  • Join Date: 19-Nov 16
  • 129 posts

Posted 11 January 2017 - 02:20 AM #39

Termalert.

 

Yeah had been following the posts on here and when I got calls I thought it was best place to post.

 

Have tested emails and they appear to be going, maybe I just have some NON-TECHY customers? LOL

 

Thanks

Barry

Often the case with non technical people, plausible deniability in their eyes ;)



 
  • Lesiu
  • Newbie
  • Trial users
  • Join Date: 26-Sep 12
  • 8 posts

Posted 11 January 2017 - 02:28 PM #40

[Tue Jan 10 15:56:59.458425 2017] [fcgid:warn] [pid 24653:tid 140692667926272] [client 89.67.xx.xx:53522] mod_fcgid: stderr: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in /home/admin/domains/zestudni.pl/public_html/app/lib/vendor/phpmailer/phpmailer/class.smtp.php on line 367, referer: https://www.zestudni.pl/myadmin.php?dispatch=profiles.update&user_id=45&user_type=A

Hello again, I found something like this in httpd error log.