Recently, one of our partners performed a security audit and found a serious issue in CS-Cart and Multi-Vendor. It is our policy to let you know about such things and provide a solution as soon as possible. We haven't seen any evidence of this vulnerability being used by anyone so far. And although our partner is a third party, their staff take security and privacy very seriously. So, the problem is as good as "discovered in-house", by our own specialists.
The vulnerability exists in all versions starting from 4.6.1. It could allow anyone with access to the admin / vendor panel and the block editing privilege to gain unauthorized access to the server.
There are 2 ways to solve the problem:
If you're using CS-Cart or Multi-Vendor 4.15.1, update to 4.15.1.SP4. It should be available in your Upgrade Center. Service packs are designed for quick and smooth installation. Version 4.15.1.SP3 includes the security fix, and version 4.15.1.SP4 makes the fix more compatible with third-party add-ons and themes.
If you can't upgrade to 4.15.1.SP4, you can still fix the problem in your version. Find the "Security Fixes for 4.6.1 - 4.15.x" add-on in the "Updates" folder in the File Area in Help Desk. Download it and install the add-on from the archive. This add-on closes multiple security vulnerabilities in CS-Cart and Multi-Vendor 4.x.x. All these vulnerabilities were fixed in 4.15.1 SP4 and newer versions. After you upgrade to 4.15.2, this add-on will be disabled automatically.
P.S. As a token of gratitude, we'd like to mention the partner who discovered this issue. The company is called ASAP Lab. They specialise in servers, performance, and security. Not only do they regularly check CS-Cart code for vulnerabilities, but they can also check your entire project, including server configuration, third-party add-ons, etc.
Earlier this week, we sent an email about this issue and 4.15.1.SP3. We stopped providing Service Pack 3 as soon as we discovered that the security fix caused problems with third-party add-ons and themes. Now we have released Service Pack 4 and updated the “Security Fixes” add-on to make the fix compatible.
For those who already acted on that email, here is what you can do:
If you upgraded to 4.15.1.SP3 (or had to revert the upgrade), then you can upgrade to SP3 and then to SP4. The latest SP solves the compatibility issues with third-party add-ons.
If you already downloaded the “Security Fixes for 4.6.1 - 4.15.x” add-on, you can follow the same steps again: Find the “Security Fixes for 4.6.1 - 4.15.x” add-on in the “Updates” folder in the File Area in Help Desk. Download it and install the add-on from the archive. No need to uninstall the previous add-on or do anything else; the improved add-on will overwrite the old one.
I’m sorry for the inconvenience. In the future, we’ll be taking a few extra steps to ensure that third-party add-ons aren’t affected by sudden security fixes.
I remember that I discussed this more than 2 years ago already. However, at that point it was not yet a concern to CsCart. Kind of funny how that changed over time.
And also, to increase the security of your projects, please remove all sorts of adminer.php, error.log, info.php and similar files from your websites. Read more here https://wiki.cloud.simtechdev.com/user-guide/more-secure/ or contact us here https://asaplab.io/contact-us.
@harmsmitsdev, are you talking about executing any code in smarty or bypassing additional security methods and access levels?
I remember that I discussed this more than 2 years ago already. However, at that point it was not yet a concern to CsCart. Kind of funny how that changed over time.
@harmsmitsdev, are you talking about executing any code in smarty or bypassing additional security methods and access levels?
For someone who is worried about the risks and/or interested in what the above means, here is my less technical take on the problem. Or rather, 2 different problems that we addressed, both in the Service Packs and "Security Fixes" add-on.
Problem 1: An admin in CS-Cart and Multi-Vendor with high enough permissions could get more info than they were meant to. This is bad, but manageable, because only your disgruntled employee or someone who gained access to an admin account (which is a feat in its own right) could do that.
Problem 2: A vendor in Multi-Vendor with high enough permissions could get more info than they were meant to. This is much worse, because anyone can apply and/or register as a vendor. So, the risks depend on whether or not you approve new vendors automatically and grant them enough permissions.
In both cases, the hacker would need to know what they're doing. For now, exploiting either of those problems requires technical knowledge (around that of a programmer) and the knowledge of CS-Cart architecture. Problem 2 is more dangerous, but harder to exploit technically.
It is still vital to apply one of the fixes from this topic as soon as possible, because there is a general rule: "The more people find out about the vulnerability, the easier it is to exploit." Discovering and exploiting the vulnerability for the first time may be difficult, but the second time is a matter of following the instruction. That's why we go extra lengths to close the vulnerabilities as soon as we learn about them.
For someone who is worried about the risks and/or interested in what the above means, here is my less technical take on the problem. Or rather, 2 different problems that we addressed in the Service Packs and "Security Fixes" add-on.
Problem 1: An admin in CS-Cart and Multi-Vendor with high enough permissions could get more info than they were meant to. This is bad, but manageable, because only your disgruntled employee or someone who gained access to an admin account (which is a feat in its own right) could do that.
Problem 2: A vendor in Multi-Vendor with high enough permissions could get more info than they were meant to. This is much worse, because anyone can apply and/or register as a vendor. So, the risks depend on whether or not you approve new vendors automatically and grant them enough permissions.
In both cases, the hacker would need to know what they're doing. For now, exploiting either of those problems requires technical knowledge (around that of a programmer) and the knowledge of CS-Cart architecture. Problem 2 is more dangerous, but harder to exploit technically.
It is still vital to apply one of the fixes from this topic as soon as possible, because there is a general rule: "The more people find out about the vulnerability, the easier it is to exploit." Discovering and exploiting the vulnerability for the first time may be difficult, but the second time is a matter of following the instruction. That's why we go extra lengths to close the vulnerabilities as soon as we learn about them.
thanks for the information
After we have installed the Security Fix (September2022), we are unable to let Google Crawl new pages.
Yes, its related exactly to that.