Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Several Cs-Cart Security Issues Discovered: Protect Your Store Asap Rate Topic   * * * * * 1 votes

 
  • ikoshkin
  • Tech Writer
  • CS-Cart Architects
  • Join Date: 25-Nov 15
  • 194 posts

Posted 27 December 2017 - 09:41 AM #1

Hello. Our security audit revealed a few issues of various severity that affect all 4.x.x versions of CS-Cart and Multi-Vendor, including the latest version 4.7.1. It is vital that all store owners are aware of this problem and address it as soon as possible. One of the issues was found by our reseller, and the rest were discovered in house (by our own specialists). To our knowledge, the vulnerabilities haven’t been exploited.

To give you more time to protect your store, we are not disclosing the technical details. Suffice it to say that we advise everyone who uses a version from 4.0.1 up to 4.7.1 (including 4.7.1 SP1) to take one of the following measures as soon as possible:

Upgrade to CS-Cart or Multi-Vendor 4.7.1 SP2. This version contains the fixes for all the security issues that we are aware of. It is already available in the Upgrade Center in the Administration panel of your store. Please note that to see 4.7.1 SP2 in the Upgrade Center, you’ll first need to install the upgrades that came before 4.7.1 SP2, if you haven’t done that already.

For those who can’t upgrade to the latest version, we have prepared a free add-on that addresses the problems. We think that installing an add-on is much more convenient for a store owner than changing lines of code in various files manually. To get the add-on:
  • Sign in to Help Desk before you can download the add-on. Enter the email and password of your Help Desk account. Alternatively, use the Forgot your password? link on that page to sign in without using a password.
  • Once you sign in to Help Desk, go to the File area. Scroll down to find the Updates folder. Click on that folder to open it.
  • Find the security_fixes_4xx_addon.zip file. Download it by clicking the icon on the right.
  • The archive with the add-on will be downloaded to your computer. Install the add-on from the archive as described in the documentation.
This will solve the discovered security-related problems in your store. Please note that the add-on doesn’t include the fix for the vulnerability that we discovered in November 2017. If you missed that announcement, please take the measures described there as well.

 
  • Mongoose
  • Senior Member
  • Members
  • Join Date: 08-Mar 13
  • 954 posts

Posted 27 December 2017 - 01:17 PM #2

Dear Ivan

 

We upgraded this morning right after we received the all important mail. However after the ugprade from V4.6.3SP1 to V4.7.1SP2 editing promotions like a deal of the day is causing issues.

 

NNPIkZr.png


two V4.6.2 and one  V4.2.4 - hedonist working on Sundays


 
  • poppedweb
  • Authorized Reseller
  • Members
  • Join Date: 02-Aug 16
  • 405 posts

Posted 27 December 2017 - 01:34 PM #3

Dear Ivan

 

We upgraded this morning right after we received the all important mail. However after the ugprade from V4.6.3SP1 to V4.7.1SP2 editing promotions like a deal of the day is causing issues.

This is caused by the fact that the offset is not defined. My guess is that it is not being checked whether it is set or that the existing variable is not defined as a array. You could fix this by using something similar to this or by defining it as an array, though I think some hook's order got changed, wich can cause this kind of behaviour.

 

If it is the first case you can use something similar to this:

$var['promotion_id'] = !is_array($var['promotion_id']) ? array() : $var['promotion_id'];

In normal words this translates to: if $var['promotion_id'] is not an array, make it an array. If it is an array, keep the same values.


PoppedWeb | sales@poppedweb.com | https://poppedweb.com
TurnKey Website Design | Add-Ons | Performance Audits | Dedicated Server Management
24/7 Support | Response within an hour (during working hours).

 
  • Mongoose
  • Senior Member
  • Members
  • Join Date: 08-Mar 13
  • 954 posts

Posted 27 December 2017 - 01:47 PM #4

This is caused by the fact that the offset is not defined. My guess is that it is not being checked whether it is set. You could fix this by using something similar to this

$var['promotion_id'] = !isset($var['promotion_id']) ? 0 : $var['promotion_id'];

In normal words this translates to: if $var['promotion_id'] is not set, set it to '0'. If it is set, keep the same value.

 

Harm.

 

The file in question func.php in /app/addons/ab__deal_of_the_day/  has in line 76 to 77

the following code

$promotion_data['promotion_id'] = $promotion_id;
foreach (Languages::getAll() as $promotion_data['lang_code'] => $_d) {
db_query("INSERT INTO ?:ab__deal_of_the_day ?e", $promotion_data);
}

Now I am the layperson here and not sure how to implement your suggestion. Please elaborate


two V4.6.2 and one  V4.2.4 - hedonist working on Sundays


 
  • poppedweb
  • Authorized Reseller
  • Members
  • Join Date: 02-Aug 16
  • 405 posts

Posted 27 December 2017 - 02:00 PM #5

Harm.

 

The file in question func.php in /app/addons/ab__deal_of_the_day/  has in line 76 to 77

the following code

$promotion_data['promotion_id'] = $promotion_id;
foreach (Languages::getAll() as $promotion_data['lang_code'] => $_d) {
db_query("INSERT INTO ?:ab__deal_of_the_day ?e", $promotion_data);
}

Now I am the layperson here and not sure how to implement your suggestion. Please elaborate

 

Hello,

 

I have taken a look at an existing UniTheme installation of one of my customers and found out that the arguments in the hook have been switched around. Take a close look:

 

Cs-Carts Hook (since 4.7.1)      fn_set_hook('update_promotion_post', $data, $promotion_id, $lang_code);

AlexB's Hook (with core mod)   fn_set_hook('update_promotion_post', $promotion_id, $promotion_data, $lang_code);

 

There are 2 ways to solve this 

 

1. Modify /app/functions/fn.promotions.php and replace CS-Carts hook with AlexB's hook.

2. Modify the function for the corresponding hook to fit your needs.

 

!!! Do clear the cache by deleting the cache folder because hooks are also cached in CS-Cart. !!!

 

If you have any more questions please contact AlexBranding to fix this issue. 

PoppedWeb | sales@poppedweb.com | https://poppedweb.com
TurnKey Website Design | Add-Ons | Performance Audits | Dedicated Server Management
24/7 Support | Response within an hour (during working hours).

 
  • Mongoose
  • Senior Member
  • Members
  • Join Date: 08-Mar 13
  • 954 posts

Posted 27 December 2017 - 02:16 PM #6

 

Hello,

 

I have taken a look at an existing UniTheme installation of one of my customers and found out that the arguments in the hook have been switched around. Take a close look:

 

Cs-Carts Hook (since 4.7.1)      fn_set_hook('update_promotion_post', $data, $promotion_id, $lang_code);

AlexB's Hook (with core mod)   fn_set_hook('update_promotion_post', $promotion_id, $promotion_data, $lang_code);

 

There are 2 ways to solve this 

 

1. Modify /app/functions/fn.promotions.php and replace CS-Carts hook with AlexB's hook.

2. Modify the function for the corresponding hook to fit your needs.

 

!!! Do clear the cache by deleting the cache folder because hooks are also cached in CS-Cart. !!!

 

If you have any more questions please contact AlexBranding to fix this issue. 

 

 

Hello

 

I opted for the first option

 

Modifying the  fn.promotions.php file as you and or Aleksandr from Alexbranding suggested.

 

Thanks for coming to save my day.


two V4.6.2 and one  V4.2.4 - hedonist working on Sundays


 
  • Darius
  • Douchebag
  • Members
  • Join Date: 20-Apr 08
  • 3155 posts

Posted 27 December 2017 - 03:14 PM #7

Its alex branding addon where u hardcode change modify php files.. would never use their addons..

 
  • Mongoose
  • Senior Member
  • Members
  • Join Date: 08-Mar 13
  • 954 posts

Posted 27 December 2017 - 08:19 PM #8

Its alex branding addon where u hardcode change modify php files.. would never use their addons..

 

Why ?


two V4.6.2 and one  V4.2.4 - hedonist working on Sundays


 
  • Darius
  • Douchebag
  • Members
  • Join Date: 20-Apr 08
  • 3155 posts

Posted 27 December 2017 - 09:01 PM #9

Why ?


Because no other addon requires modifying core php files..

 
  • Mongoose
  • Senior Member
  • Members
  • Join Date: 08-Mar 13
  • 954 posts

Posted 28 December 2017 - 09:18 AM #10

Because no other addon requires modifying core php files..

 

True but Alexbranding does offer another solution, I just opted for the quickest since we are approaching Januari 1 2018. The offices are closed at Alexbranding right now and alot of others as well


two V4.6.2 and one  V4.2.4 - hedonist working on Sundays


 
  • Flow
  • Super Duper and Amazingly Sexy Senior
  • Members
  • Join Date: 13-Oct 10
  • 2099 posts

Posted 28 December 2017 - 03:32 PM #11

BIG issue I think: I just partly refunded some customers and all orders went on status cancelled! This was not the case before I installed this add-on. 

 

Apparantly it changed the settings in the paypal add-on.


When life hands you lemons, bring on the Tequila baby!


 

Posted 29 December 2017 - 07:04 AM #12

Please contact us via Help desk, so that we could examine the issue

 

BIG issue I think: I just partly refunded some customers and all orders went on status cancelled! This was not the case before I installed this add-on. 

 

Apparantly it changed the settings in the paypal add-on.


Sincerely yours, CS-Cart Support Team

 

User guide       |  Developer documentation  |  Core API documentation


 
  • andnow
  • Member
  • Trial users
  • Join Date: 20-Oct 16
  • 40 posts

Posted 11 January 2018 - 12:48 PM #13

Helpdesk password recovery ansvers "The username you have entered does not match any account in our store..." - what do I should do in this case? Helpdesk login email may be reseller's email or other, I don't know.



 
  • Flow
  • Super Duper and Amazingly Sexy Senior
  • Members
  • Join Date: 13-Oct 10
  • 2099 posts

Posted 15 January 2018 - 06:37 AM #14

Please contact us via Help desk, so that we could examine the issue

 

The only thing that I can imagine happened is that the add-on somehow changed a setting in the paypal add-on. After I set this right again, things went back to normal.


When life hands you lemons, bring on the Tequila baby!


 
  • alexbranding
  • Junior Member
  • Authorized Reseller
  • Join Date: 22-Aug 10
  • 1032 posts

Posted 17 January 2018 - 03:32 PM #15

True but Alexbranding does offer another solution, I just opted for the quickest since we are approaching Januari 1 2018. The offices are closed at Alexbranding right now and alot of others as well

From CS-Cart 4.7 and new version of addon (Product of the Day: Extended promotions) - its no needed to add any hooks (just update addon and it will work) (hooks were added by CS-Cart dev team in core) (maybe it will be usefull for another customers)


Alexbranding = best seo addons and themes for cs-cart


 
  • azri445
  • Member
  • Members
  • Join Date: 06-Jan 18
  • 27 posts

Posted 02 February 2018 - 08:10 AM #16

im also having the same problem, after upgrading it, i got this error, i cant open my blog link.

 

Sorry, service is temporarily unavailable.

Smarty: Unable to load template tygh 'addons/discussion/views/discussion/info_in_blog.tpl' in 'addons/abt__unitheme/hooks/pages/page_extra.override.tpl' -->



 
  • The Tool
  • Been Here Way Too Long Member
  • Members
  • Join Date: 30-Mar 07
  • 3617 posts

Posted 02 February 2018 - 12:17 PM #17

im also having the same problem, after upgrading it, i got this error, i cant open my blog link.

 

Sorry, service is temporarily unavailable.

Smarty: Unable to load template tygh 'addons/discussion/views/discussion/info_in_blog.tpl' in 'addons/abt__unitheme/hooks/pages/page_extra.override.tpl' -->

 

It looks like the error is related to a third party theme.  Contact the developer of the theme.