Jump to content

CubeCart v4 Security Update

Al Brookbanks

By Al Brookbanks
in News & Announcements

 Share

Recommended Posts

Al Brookbanks Experienced

Al Brookbanks

Posted
Posted

It has been brought to our attention that a cross site scripting vulnerability has been discovered in some versions of CubeCart v4 by McAffee ScanAlert just one hour ago. This is know to affect CubeCart 4.2.2 but may not affect versions earlier to it.

The patch is very straightforward.

Open the file ini.inc.php and locate:

if (preg_match('#([^a-z0-9\-\_\:\@\|])#i', urldecode($key))) {

					echo urldecode($key);

					$die = "<h1 style='font-family: Arial, Helvetica, sans-serif; color: red;'>Security Warning</h1><p style='font-family: Arial, Helvetica, sans-serif; color: #000000;'>\nParsed array keys can not contain illegal characters! Script execution has been halted.</p><p style='font-family: Arial, Helvetica, sans-serif; color: #000000;'>It may be possible to fix this error by deleting your browsers cookies and refresh this page.</p>\n";

					die($die);

				}




Replace this code with:

if (preg_match('#([^a-z0-9\-\_\:\@\|])#i', urldecode($key))) {

					$die = "<h1 style='font-family: Arial, Helvetica, sans-serif; color: red;'>Security Warning</h1><p style='font-family: Arial, Helvetica, sans-serif; color: #000000;'>\nParsed array keys can not contain illegal characters! Script execution has been halted.</p><p style='font-family: Arial, Helvetica, sans-serif; color: #000000;'>It may be possible to fix this error by deleting your browsers cookies and refresh this page.</p>\n";

					die($die);

				}




Once that has been done please upload the file back to the server and your store has been patched. The offending code is the line:

echo urldecode($key);
 before the line starting

$die = "<h1 style='font-family: Ari...

If your stores doesn't have that line then no action is required.

We take security very seriously and will investigate every case reported thoroughly. In this occasion we have been able to produce a patch within an hour or the vulnerability report. CubeCart version 4.2.3 is due for release very soon which will contain this security update and other bug fixes.

If you have an active support plan and need assistance our staff will be willing to assist you in applying this patch. Please accept our apologies for any inconvenience this may cause.

Link to comment
Share on other sites

 Share
Go to topic listing
×
×
  • Create New...