[ikoshkin]

Hello. Our security audit revealed a few issues of various severity that affect all 4.x.x versions of CS-Cart and Multi-Vendor, including the latest version 4.7.1. It is vital that all store owners are aware of this problem and address it as soon as possible. One of the issues was found by our reseller, and the rest were discovered in house (by our own specialists). To our knowledge, the vulnerabilities haven’t been exploited.

To give you more time to protect your store, we are not disclosing the technical details. Suffice it to say that we advise everyone who uses a version from 4.0.1 up to 4.7.1 (including 4.7.1 SP1) to take one of the following measures as soon as possible:

Upgrade to CS-Cart or Multi-Vendor 4.7.1 SP2. This version contains the fixes for all the security issues that we are aware of. It is already available in the Upgrade Center in the Administration panel of your store. Please note that to see 4.7.1 SP2 in the Upgrade Center, you’ll first need to install the upgrades that came before 4.7.1 SP2, if you haven’t done that already.

For those who can’t upgrade to the latest version, we have prepared a free add-on that addresses the problems. We think that installing an add-on is much more convenient for a store owner than changing lines of code in various files manually. To get the add-on:

• Sign in to Help Desk before you can download the add-on. Enter the email and password of your Help Desk account. Alternatively, use the Forgot your password? link on that page to sign in without using a password.
• Once you sign in to Help Desk, go to the File area. Scroll down to find the Updates folder. Click on that folder to open it.
• Find the security_fixes_4xx_addon.zip file. Download it by clicking the icon on the right.
• The archive with the add-on will be downloaded to your computer. Install the add-on from the archive as described in the documentation.

This will solve the discovered security-related problems in your store. Please note that the add-on doesn’t include the fix for the vulnerability that we discovered in November 2017. If you missed that announcement, please take the measures described there as well.

[Mongoose]

Dear Ivan

 

We upgraded this morning right after we received the all important mail. However after the ugprade from V4.6.3SP1 to V4.7.1SP2 editing promotions like a deal of the day is causing issues.

 

[poppedweb]

Dear Ivan

 

We upgraded this morning right after we received the all important mail. However after the ugprade from V4.6.3SP1 to V4.7.1SP2 editing promotions like a deal of the day is causing issues.

This is caused by the fact that the offset is not defined. My guess is that it is not being checked whether it is set or that the existing variable is not defined as a array. You could fix this by using something similar to this or by defining it as an array, though I think some hook's order got changed, wich can cause this kind of behaviour.

 

If it is the first case you can use something similar to this:

$var['promotion_id'] = !is_array($var['promotion_id']) ? array() : $var['promotion_id'];

In normal words this translates to: if $var['promotion_id'] is not an array, make it an array. If it is an array, keep the same values.

[Mongoose]

This is caused by the fact that the offset is not defined. My guess is that it is not being checked whether it is set. You could fix this by using something similar to this

$var['promotion_id'] = !isset($var['promotion_id']) ? 0 : $var['promotion_id'];

In normal words this translates to: if $var['promotion_id'] is not set, set it to '0'. If it is set, keep the same value.

 

Harm.

 

The file in question func.php in /app/addons/ab__deal_of_the_day/  has in line 76 to 77

the following code

$promotion_data['promotion_id'] = $promotion_id;
foreach (Languages::getAll() as $promotion_data['lang_code'] => $_d) {
db_query("INSERT INTO ?:ab__deal_of_the_day ?e", $promotion_data);
}

Now I am the layperson here and not sure how to implement your suggestion. Please elaborate

[poppedweb]

Harm.

 

The file in question func.php in /app/addons/ab__deal_of_the_day/  has in line 76 to 77

the following code

$promotion_data['promotion_id'] = $promotion_id;
foreach (Languages::getAll() as $promotion_data['lang_code'] => $_d) {
db_query("INSERT INTO ?:ab__deal_of_the_day ?e", $promotion_data);
}

Now I am the layperson here and not sure how to implement your suggestion. Please elaborate

 

Hello,

 

I have taken a look at an existing UniTheme installation of one of my customers and found out that the arguments in the hook have been switched around. Take a close look:

 

Cs-Carts Hook (since 4.7.1)      fn_set_hook('update_promotion_post', $data, $promotion_id, $lang_code);

AlexB's Hook (with core mod)   fn_set_hook('update_promotion_post', $promotion_id, $promotion_data, $lang_code);

 

There are 2 ways to solve this 

 

1. Modify /app/functions/fn.promotions.php and replace CS-Carts hook with AlexB's hook.

2. Modify the function for the corresponding hook to fit your needs.

 

!!! Do clear the cache by deleting the cache folder because hooks are also cached in CS-Cart. !!!

 

If you have any more questions please contact AlexBranding to fix this issue. 

[Mongoose]

 

Hello,

 

I have taken a look at an existing UniTheme installation of one of my customers and found out that the arguments in the hook have been switched around. Take a close look:

 

Cs-Carts Hook (since 4.7.1)      fn_set_hook('update_promotion_post', $data, $promotion_id, $lang_code);

AlexB's Hook (with core mod)   fn_set_hook('update_promotion_post', $promotion_id, $promotion_data, $lang_code);

 

There are 2 ways to solve this 

 

1. Modify /app/functions/fn.promotions.php and replace CS-Carts hook with AlexB's hook.

2. Modify the function for the corresponding hook to fit your needs.

 

!!! Do clear the cache by deleting the cache folder because hooks are also cached in CS-Cart. !!!

 

If you have any more questions please contact AlexBranding to fix this issue. 

 

 

Hello

 

I opted for the first option

 

Modifying the  fn.promotions.php file as you and or Aleksandr from Alexbranding suggested.

 

Thanks for coming to save my day.

[Darius]

Its alex branding addon where u hardcode change modify php files.. would never use their addons..

[Mongoose]

Its alex branding addon where u hardcode change modify php files.. would never use their addons..

 

Why ?

[Darius]

Why ?

Because no other addon requires modifying core php files..

[Mongoose]

Because no other addon requires modifying core php files..

 

True but Alexbranding does offer another solution, I just opted for the quickest since we are approaching Januari 1 2018. The offices are closed at Alexbranding right now and alot of others as well

[Flow]

BIG issue I think: I just partly refunded some customers and all orders went on status cancelled! This was not the case before I installed this add-on. 

 

Apparantly it changed the settings in the paypal add-on.

[CS-Cart team]

Please contact us via Help desk, so that we could examine the issue

 

BIG issue I think: I just partly refunded some customers and all orders went on status cancelled! This was not the case before I installed this add-on. 

 

Apparantly it changed the settings in the paypal add-on.

[andnow]

Helpdesk password recovery ansvers "The username you have entered does not match any account in our store..." - what do I should do in this case? Helpdesk login email may be reseller's email or other, I don't know.

[Flow]

Please contact us via Help desk, so that we could examine the issue

 

The only thing that I can imagine happened is that the add-on somehow changed a setting in the paypal add-on. After I set this right again, things went back to normal.

[alexbranding]

True but Alexbranding does offer another solution, I just opted for the quickest since we are approaching Januari 1 2018. The offices are closed at Alexbranding right now and alot of others as well

From CS-Cart 4.7 and new version of addon (Product of the Day: Extended promotions) - its no needed to add any hooks (just update addon and it will work) (hooks were added by CS-Cart dev team in core) (maybe it will be usefull for another customers)

[azri445]

im also having the same problem, after upgrading it, i got this error, i cant open my blog link.

 

Sorry, service is temporarily unavailable.

Smarty: Unable to load template tygh 'addons/discussion/views/discussion/info_in_blog.tpl' in 'addons/abt__unitheme/hooks/pages/page_extra.override.tpl' -->

[The Tool]

im also having the same problem, after upgrading it, i got this error, i cant open my blog link.

 

Sorry, service is temporarily unavailable.

Smarty: Unable to load template tygh 'addons/discussion/views/discussion/info_in_blog.tpl' in 'addons/abt__unitheme/hooks/pages/page_extra.override.tpl' -->

 

It looks like the error is related to a third party theme.  Contact the developer of the theme.