Help
Posted 27 March 2008 - 09:59 AM
Reports:
http://secunia.com/advisories/29532/
http://www.securityfocus.com/bid/28452
This security hole exists due to a bug in the global variable sanitation function of the ini.inc.php file. Please patch this at the first opportunity either using the manual or auto fix below.
Manual Fix (All 4.x.x Releases)
Open ini.inc.php and find at around line 134:
$data[$key] = $this->safety($val); } return true;
Replace with:
$data[$key] = $this->safety($val); }
To clarify all that is required is that the line "return true;" is removed.
Auto Fix
If you run CubeCart ≤ 4.1.1 please download and extract the zip file below and replace this over your existing ini.inc.php file on the remote server.
CubeCart_4.1.1_pl1.zip (3.02K)
Number of downloads: 39
If you run CubeCart ≤ 4.2.1 please download and extract the zip file below and replace this over your existing ini.inc.php file on the remote server.
CubeCart_4.2.1_pl1.zip (3.18K)
Number of downloads: 126
IMPORTANT NOTE: If you have upgraded from CubeCart v3 there may also be an ini.inc.php file in the includes folder. That file does not need attention and can be safely deleted if you wish.
Back to top
MultiQuote
