Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Update: Critical Vulnerability In Phpmailer Library. Should Be Fixed Asap Rate Topic   - - - - -

 
  • markhedley
  • Advanced Member
  • Trial users
  • Join Date: 19-Nov 16
  • 129 posts

Posted 13 January 2017 - 03:14 AM #41

[Tue Jan 10 15:56:59.458425 2017] [fcgid:warn] [pid 24653:tid 140692667926272] [client 89.67.xx.xx:53522] mod_fcgid: stderr: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in /home/admin/domains/zestudni.pl/public_html/app/lib/vendor/phpmailer/phpmailer/class.smtp.php on line 367, referer: https://www.zestudni.pl/myadmin.php?dispatch=profiles.update&user_id=45&user_type=A

Hello again, I found something like this in httpd error log.

 

 

You are using a self signed SSL certificate, or you have missed the CA Bundle for your chosen / specified SSL certificate somewhere in your configuration.

 

Solution: Add the Self signed certificate to your CA Bundle.



 
  • kellenw
  • Junior Member
  • Members
  • Join Date: 19-Dec 10
  • 88 posts

Posted 13 January 2017 - 08:11 PM #42

Order emails and form builder contact forms do not work after applying SP2.  My contact us form, which worked fine prior to the update, now goes to a blank white page and does not send email.  It no longer shows the "form submit text" message.  Also, when a new customer signs up, they get the blank white page after submitting their information.  Several people are also suddenly having login issues, but it seems somewhat random.  I was using php mailer prior to the update.  I have tried php mailer, sendmail and Smtp.  All have issues.  Something is definitely messed up with this update.  Any ideas?  I also submitted a support ticket.



 
  • markhedley
  • Advanced Member
  • Trial users
  • Join Date: 19-Nov 16
  • 129 posts

Posted 15 January 2017 - 05:14 AM #43

Order emails and form builder contact forms do not work after applying SP2.  My contact us form, which worked fine prior to the update, now goes to a blank white page and does not send email.  It no longer shows the "form submit text" message.  Also, when a new customer signs up, they get the blank white page after submitting their information.  Several people are also suddenly having login issues, but it seems somewhat random.  I was using php mailer prior to the update.  I have tried php mailer, sendmail and Smtp.  All have issues.  Something is definitely messed up with this update.  Any ideas?  I also submitted a support ticket.

No errors in your web server logs?



 
  • kellenw
  • Junior Member
  • Members
  • Join Date: 19-Dec 10
  • 88 posts

Posted 17 January 2017 - 07:31 PM #44

No errors in your web server logs?

 None.  :-(



 
  • markhedley
  • Advanced Member
  • Trial users
  • Join Date: 19-Nov 16
  • 129 posts

Posted 18 January 2017 - 04:59 AM #45

 None.  :-(

White screen usually related to MySQL / Database issues, have you also checked your database?



 
  • kellenw
  • Junior Member
  • Members
  • Join Date: 19-Dec 10
  • 88 posts

Posted 18 January 2017 - 06:01 PM #46

For those suffering a similar problem as I did, the culprit was escapeshellcmd(). The update requires this to be enabled. This is disabled by default for many servers using Suhosin for security purposes. You can either disable Suhosin on the domains running CS-Cart, or you can enable the specific function manually.  Both methods should fix this particular white screen of death issue.



 
  • straygecko
  • Advanced Member
  • Members
  • Join Date: 01-May 13
  • 93 posts

Posted 18 January 2017 - 06:32 PM #47

For those suffering a similar problem as I did, the culprit was escapeshellcmd(). The update requires this to be enabled. This is disabled by default for many servers using Suhosin for security purposes. You can either disable Suhosin on the domains running CS-Cart, or you can enable the specific function manually.  Both methods should fix this particular white screen of death issue.

Odd, I don't think there are any issues with escapeshellcmd.  It had a vulnerability something like 9 years ago prior to PHP 5.2.5 / 4.4.8 but I'm not aware of any good reason to disallow it now.  Better to remove escapeshellcmd & escapeshellarg from the Suhosin function blacklist rather than disabling Suhosin.



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11384 posts

Posted 18 January 2017 - 08:21 PM #48

For what it's worth, I have a customer that applied the patch and noticed a 1 min delay at the end of checkout.

Seems that the site uses Twigmo and that Twigmo is generating a 504 timeout (which takes 60 seconds).  So you might want to check your log data around your orders to see if there's a twigmo response with this snippet in it.

 <!-- Jumbotron --> <div class="jumbotron"> <h1><i class="icon-time orange"></i> 504 Gateway Timeout</h1> <p class="lead">The web server is returning an unexpected networking error for <em><span id="display-domain"></span></em>. <br />If you need immediate assistance, please <a href="mailto:ops@simtech.ru">send us an email</a> instead.<br />We apologize for any inconvenience.</p> <a href="javascript:document.location.reload(true);" class="btn btn-default btn-lg text-center"><span class="green">Try This Page Again</span></a> </div></div> </div><!-- /.body-container --> <!-- Site footer --> <div class="footer"> <div class="row"> <div class="col-md-12 jumbotron"> </div> </div> </div><!-- /container --> </body> </html> 

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • kellenw
  • Junior Member
  • Members
  • Join Date: 19-Dec 10
  • 88 posts

Posted 19 January 2017 - 05:48 PM #49

Odd, I don't think there are any issues with escapeshellcmd.  It had a vulnerability something like 9 years ago prior to PHP 5.2.5 / 4.4.8 but I'm not aware of any good reason to disallow it now.  Better to remove escapeshellcmd & escapeshellarg from the Suhosin function blacklist rather than disabling Suhosin.

 

I agree.  Best practice would definitely be to enable them (remove from blacklist) rather than simply disable Suhosin wholesale.  For instance, I disabled suhosin outright just to quickly see if that would "fix" the issue, and once confirmed, then went back later to remove the function from the disabled functions list in suhosin configuration.

 

I also agree that it does appear escapeshellcmd and escapeshellarg are currently considered low priority security risk.  Still, some people, like myself, prefer to disable functions that are not required by software in use, to keep server security locked down as best as is reasonably possible (no need to leave a "door" unlocked that you don't use).  In my case, and in the case of many others, with regard to this particular issue, is that these particular functions often come/came disabled by default... particularly on servers/control panels that were setup a year or more in the past, due to particular security concerns pertaining to them previously.

 

It would have been ideal if the upgrade center in CS-Cart had been configured to check for these newly required functions prior to allowing the upgrade to continue, since it is something that previously was not required for full/proper functionality.  This function check is a capability that already exists in their upgrade and install routine for other functions.  It really should have also been mentioned in release notes, so admins could make the proper adjustments prior to upgrading.  I understand though... Sometimes things get missed, especially when you're trying to get a security patch pushed out in a timely fashion to protect users/customers.

 

Take care,

Kellen 



 
  • kellenw
  • Junior Member
  • Members
  • Join Date: 19-Dec 10
  • 88 posts

Posted 19 January 2017 - 05:53 PM #50

 

For what it's worth, I have a customer that applied the patch and noticed a 1 min delay at the end of checkout.

Seems that the site uses Twigmo and that Twigmo is generating a 504 timeout (which takes 60 seconds).  So you might want to check your log data around your orders to see if there's a twigmo response with this snippet in it.

 <!-- Jumbotron --> <div class="jumbotron"> <h1><i class="icon-time orange"></i> 504 Gateway Timeout</h1> <p class="lead">The web server is returning an unexpected networking error for <em><span id="display-domain"></span></em>. <br />If you need immediate assistance, please <a href="mailto:ops@simtech.ru">send us an email</a> instead.<br />We apologize for any inconvenience.</p> <a href="javascript:document.location.reload(true);" class="btn btn-default btn-lg text-center"><span class="green">Try This Page Again</span></a> </div></div> </div><!-- /.body-container --> <!-- Site footer --> <div class="footer"> <div class="row"> <div class="col-md-12 jumbotron"> </div> </div> </div><!-- /container --> </body> </html> 

 

I'm not currently using twigmo, but I have plans to do so in the future.  This might save someone from some headaches, including myself down the road.  Good on you to mention it.  In fact, this is probably worth adding to the bug tracker if you haven't already.

 

Take Care,

Kellen



 
  • straygecko
  • Advanced Member
  • Members
  • Join Date: 01-May 13
  • 93 posts

Posted 19 January 2017 - 06:46 PM #51


I also agree that it does appear escapeshellcmd and escapeshellarg are currently considered low priority security risk.  Still, some people, like myself, prefer to disable functions that are not required by software in use, to keep server security locked down as best as is reasonably possible (no need to leave a "door" unlocked that you don't use).  In my case, and in the case of many others, with regard to this particular issue, is that these particular functions often come/came disabled by default... particularly on servers/control panels that were setup a year or more in the past, due to particular security concerns pertaining to them previously.

 

You better put htmlentities and str_replace into that default lockdown they as both have had vulnerabilities 6 or 7 years ago.  Heck, since you don't know if there are any unknown vulnerabilities in other functions then you should lock them all down and then open them up one by one until things work.

 

Seriously, though, I know you're stuck with hosts who put them in the black list while they were migrating servers 9 years ago and never took them out.  I just didn't want anyone thinking that opening them up was possibly opening a security hole.  Just like htmlentities, they are functions used to enhance security and there really is no good reason to lock them down.  Other functions that cs-cart requires, like shell_exec, exec, system & passthru, are far more dangerous.



 
  • kellenw
  • Junior Member
  • Members
  • Join Date: 19-Dec 10
  • 88 posts

Posted 19 January 2017 - 07:46 PM #52

hehe... I don't disagree with you straygecko.  My own personal preference is to be as cautious as is reasonable when it comes to security... though it can certainly become a never ending pursuit if one lets it, and which you alluded to.  "Reasonable" means different things to different folks. :)

 

It's still a relatively common occurrence to encounter these functions disabled on default setups, which is why I mentioned it being a smart thing to include new function requirements in release notes.  I mentioned this to CS-Cart staff.  They agreed.  They're putting it in there now. :)

 

Take care! :)



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11384 posts

Posted 19 January 2017 - 09:43 PM #53

I'm not currently using twigmo, but I have plans to do so in the future.  This might save someone from some headaches, including myself down the road.  Good on you to mention it.  In fact, this is probably worth adding to the bug tracker if you haven't already.

 

Take Care,

Kellen

Not sure unavailability of a server is really a bug as much as an administrative issue.  However, having a 60 second TCP timeout is standard but a bit long for an interactive process.  If you can't connect in 5 seconds, you should just move along....


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • kellenw
  • Junior Member
  • Members
  • Join Date: 19-Dec 10
  • 88 posts

Posted 19 January 2017 - 11:27 PM #54

Not sure unavailability of a server is really a bug as much as an administrative issue.  However, having a 60 second TCP timeout is standard but a bit long for an interactive process.  If you can't connect in 5 seconds, you should just move along....

 

Can't argue with that. :)



 
  • kalexan
  • Junior Member
  • Members
  • Join Date: 19-Apr 07
  • 12 posts

Posted 26 January 2017 - 12:11 PM #55

Hi Sergey

 

In the 135sp4 the line

 

$this->Sender = $address;

 

is not to find

 

Fotis

 

@Fotis: Upgrade PHPMailer to the latest (replace class.phpmailer.php and class.smtp.php) and moreover follow the modifications as dectated for cs-cart 4.X

 

Cheers!