Jump to content

Al Brookbanks

Staff
  • Posts

    6,638
  • Joined

  • Last visited

  • Days Won

    123

Posts posted by Al Brookbanks

  1. Many thanks to Gen Sato from Mitsui Bussan Secure Directions, Inc. for responsibly reporting a number of security issues found in all version of CubeCart up to 6.5.3. Please note that these vulnerabilities are executable if a bad actor has authenticated into the back end of the victims store.

    Vulnerabilities

    1. Directory traversal (any file download) - GitHub Issue #3410 
    2. Directory traversal (deletion of arbitrary files and directories) - GitHub Issue #3409
    3. CSRF bypassing CSRF token checks - GitHub Issue #3408
    4. OS Command Injection - This vulnerability concerns the ability for the Smarty template engine to be able to execute dangerous functions.

      e.g. 
      {system('echo ^<?php phpinfo(); > C:/xampp/htdocs/testout.php')}

      No patch has been created for this vulnerability but instead we strongly recommend disabling dangerous PHP functions as recommended by our free CubeCart Security Suite. We suggest disabling the following PHP functions with your php.ini file then restarting the web server. 

      disable_functions = exec, system, passthru, pcntl_exec, popen, proc_open, shell_exec

    This release also patches a number of other maintenance updates

    Upgrading to 6.5.3 is highly recommended. If for some reason you are unable to upgrade to this version it is possible to find the code patches for each vulnerability within each GitHub issue above. If you require help, technical support is available. 

    Download: CubeCart-6.5.3.zip

     

  2. Quote

    As many of those are open source and essentially free cart products, that raises concerns about where PayPal is actually accessing those significant figures from?

    Partners send a BN code across with every transaction. PayPal can see if a transaction is via CubeCart or other platform. Then the same data is sent across as PayPal Standard.

    I don't agree with your analogy to Henry Ford at all personally. PayPal commerce can be configured to have 3D secure on and off. Cards on and off. Pay Later messaging or or off. Express Checkout on the product detail page on and off. Apple Pay on or off etc.. The platform is adaptable. 

    PayPal Standard also sends across the platform ID too via BN code. Essentially the data shared is pretty much identical.

  3. Interesting. I can feed this back to PayPal. PayPal Commerce asks for more info on sign up due to what's known in the trade as KYC know your customer. In order to confirm your identity as a business and assess risk for providing card services. It's not just PayPal it's across the industry.

    https://www.paypal.com/c2/webapps/mpp/kyc?locale.x=en_C2

    I think also a lot of these requirements are not necessarily demands of PayPal but linked organisation like Visa, MasterCard, ApplePay, Google Pay and even governmental etc... 

  4. Please, please, please,  forget about Paypal Standard! It's a legacy product that's going to be discontinued by PayPal. PayPal Commerce has far more features and is proven to generate increased sales. 

    Quote

    Obviously none of these are getting delivered, so it gives the impression my sites are sending out junk mail.   

    Yes maybe these should be disabled if in Sandbox mode. I'll open a feature request for that.

  5. We are pleased to announce the release of 6.5.2.

    What's New?

    #3304 Back-office 404 log. Discover external URL's that have no destination and use the existing redirect tool to fix them.
    #3131 Back-office category list now shows product count.
    #3229 Escape key now closes back office search pull out.
    #3243 Memory added to back office list size (Products, Orders, Customers).
    #3275 Administrator log to show more detailed info. e.g. The item that was edited.
    #3299 Improved back office request log layout with header logging.
    #3331 "Save & Reload" button added to category edit add/page.
    #3332 Google Universal Analytics removed in favour of new extension.
    #3346 Back-office customer list to show their chosen language.
    #3347 hCaptcha officially supported as an alternative to Google reCAPTCHA. This requires skin updates.
    #3348 Back-office now logs actions of cleaning subscriber log.

    See all 112 closed issues for this version. 

    Download: CubeCart-6.5.2.zip

    Need help upgrading or require official technical support? Find out more at https://www.cubecart.com/technical-support

  6. With advanced features of the latest PayPal integration, you can accept PayPal, Pay Later, and Venmo* — plus Apple Pay®**, local payment methods from around the world, and process all major credit and debit cards.

    Offer Apple Pay®**:
    Apple Pay® is a fast, simple, and secure way to pay in millions of places online and in-store. It’s built into Apple Wallet® and available on eligible Apple® devices.

    Save payment details:
    Automatically save customer card, billing, and shipping info for a fast, convenient checkout experience. This feature means returning shoppers don't have to re-enter payment information on future purchases — making for a simpler checkout that can help drive conversion.

    Real-time account updater services:
    When a replacement card is issued to a customer, real-time account updater services automatically update that new card information on the backend and helps reduce chances you’ll miss a sale due to customer stolen, lost, or expired cards.

    Get more transparency with IC++ (US Only):
    Interchange Plus Plus (IC++) is a pricing model that credit card processors use to calculate the fees associated with each transaction. Compared to flat-rate pricing, IC++ offers an added layer of transparency for eligible merchants. Learn more about IC++.

    Competitive transaction fees:
    Card processing fees that are competitively priced for the marketplace.  Apple Pay® does not charge any additional fees.

    How to enable ApplePay in CubeCart
    Install our free PayPal Commerce extension. From the extension configuration page, check the box next to Apple Pay. Follow the instructions from there to enable Apple Pay.


    * Venmo only available for US consumers.
    ** Apple, Apple Pay, and Apple Wallet are registered trademarks of Apple Inc.

×
×
  • Create New...