Aug 17, 2006 :: CubeCart vulnerability/fix announced

Started by Jason, August 17, 2006, 08:48:58 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

Jason

August 17, 2006, 08:48:58 AM
For anyone running CubeCart as their website's shopping cart software, please be advised:

- - - - - - - -

17th August '06

You have received this email as you are subscribed to the CubeCart mailing list.

Security Patch
A vulnerability report has been issued to us concerning XSS (Cross Site Scripting) and MySQL Injection vulnerabilities in all current versions of CubeCart.

Please see: http://bugs.cubecart.com/?do=details&id=523

We urge all to patch their stores at the first possible opportunity. This vulnerability is due to the fact certain variables are not properly sanitized.

This patch resolves the issues using the treatGet function already in place in the code.

To upgrade please download the file CubeCart_Patch_17Aug06.zip extract it and upload the contents over the files that already reside on your site. Manual upgrade instructions can be found in the file CubeCart_Patch_17Aug06_changelog.html.

Download both these files here: http://www.cubecart.com/site/forums/index.php?showtopic=21247

Even if you don't use the Authorize.net or Protx module you must update the files!

CubeCart 3.0.12
A new release will be made today which includes this patch and has Spam Bot flood control protection as we have had reports of the tell a friend tool being abused. There will also be path upgrades in the PayPal SDK and other minor issues fixed.


Kind regards,

CubeCart.com


Jason

#1
August 28, 2006, 09:23:11 AM
I received another alert this morning:
-------------------------------------

Jason , 28th August '06
You have received this email as you are subscribed to the CubeCart mailing list.

Security Patch
Multiple XSS vulnerabilities, file inclusion and MySQL Injection (on servers with Register Globals On) have been bought to our attention in all versions up to 3.0.12.

Please find the patch by following the link below which contains a change log for manual upgrade as well as the patched files.

We take any reported security issues with utmost importance and investigate at the first possible opportunity. This dedication can be seen by the fact our office was officially close today due to the August Bank Holiday. We have released a patch within a few hours of receiving the report.

Many thanks to all those who have been involved. We will release 3.0.13 later which includes this patch along with minor other changes. If you have already patched your store upgrade is not essential.

Download both these files here: http://www.cubecart.com/site/forums/index.php?showtopic=21540

Kind regards,
CubeCart.com


Print
Go Up Pages1
User actions