havenswift-hosting

Perfect ! I have been using the CubeCart bug system for many years and never seen that before ! Maybe an idea to put that link in the forum post when you announce a new release. Having the link to the full file difference report as you have done previously in all version 4 upgrades would also be great Thanks Ian

Hi Al Even for a maintenance release it would be extremely useful to have the detailed file difference report as this is needed when doing a manual upgrade on any modified files caused by the installation of mods I know this isnt something you have released before, but to also have a list of the bugs fixed in each release (with perhaps the bug report number and a brief description of the issue or a link to the report in the bug tracker) would be extremely useful Thanks Ian

Creating a file difference report is useful (88 files have changed according to the file difference report I generated myself) although not especially difficult to do with the tools that are available. Trying to add notes to the report to associate a bug report to each difference would be a massive job and probably one that only Devellion could realistically do although this would be extremely useful !! If this isnt possible then what is really needed is some release notes that show what bugs had been fixed in each release along with the file difference report that used to be given for V4 upgrades. Ian

Yes, templates along with standard CubeCart files would be overwritten but it would be good to have a file difference report supplied and also a summary list of all bugs fixed in this release Any chance Al ? Thanks Ian

You dont say how you are creating these products but if you are uploading them rather than creating through the admin side then you have to ensure that the productId is unique. It is possible to add a product to multiple categories in the same way that the Admin View product option does by adding a record into the CubeCart_cats_idx table Ian If you upload product details via scripts and MySQL then you need to ensure that you understand the database structure in great detail otherwise your data wont be consistent. Even using the upload facilities within CubeCart requires an understanding of this and has quite a few restrictions.

You dont say how you are creating these products but if you are uploading them rather than creating through the admin side then you have to ensure that the productId is unique. It is possible to add a product to multiple categories in the same way that the Admin View product option does by adding a record into the CubeCart_cats_idx table Ian

Yes. I think so too. Just need PHP and MySQL updated. They may have added protection at that level. The code might still be bad, but PHP and/or MySQL might have checks/fixes now for certain things. I am not bashing CubeCart. I have had it since CubeCart 2. I am just looking for anyone's info that can help. As discoworld mentioned a while back, your best bet is to not use Security Metrics for your PCI compliance ! You dont say what payment gateway you are using and what level of PCI compliance you are trying to obtain but unless the gateway is something unusual or you are looking to get a higher than normal compliance on a shared hosting server, the problem is not CubeCart, php or MySQL - it is Security Metrics themselves. We host a large number of CubeCart sites for ourselves and for clients across a range of shared hosting and dedicated servers and nobody has ever had a problem getting PCI compliance Ian

You will need to have either Zend or ionCube installed for CubeCart to run (exactly as the installation says !). You will need to check that one of these is installed on the specific server that you are hosted on and if they arent (and the host isnt willing to add them) then you would be best moving to a host that guarantees CubeCart compatibility. Ian

Just taking a dedicated server will not fix any of these points although as it is "your" server then you can at least make the changes that you want. However, unless you are a Linux expert or pay for managed support (where you will still need to know *what* to ask to be changed or configured on your server) then you are likely to have a lot more problems then being with a reputable hosting company who *should* know how to set a server up. I say *should*, as there are so many hosting companies out there that dont know. The first two points (which are essentially the same point anyway) are completely pointless. Their reason for reporting this is that it reveals that the server is running php - the additional code that is added to cause this problem can only be added to the end of a url that is a php page. The fact that you are adding it to a php page has already "revealed" that you are running php !! You dont say what version of CubeCart and MySQL you are running and more importantly what if any mods you have installed (these are the most common cause of sql injection vulnerabilities) therefore there is not enough information to say what the problem is but it would be interesting to know what Al has to say about this IF you are running a recent version of CubeCart AND MySQL Ian

CubeCart is multi-language so you would need to translate each of the product descriptions into whatever language was required before you could consider anything else. There is also the problem that the current export routines (standard or any of the mods available) dont as far as I am aware work for multiple languages but I am currently looking at that part of it for my own sites which use my own written export routine and it isnt difficult to do. Translating the products details however.... Ian

Ian, Please reread the post I made and then a few of your own and tell me I was wrong in any way. I know 99.9999% of the users are unpaid. We all know that. Cubecart is the one place anyone can go and ask for help and the 'cool kids' don't beat you up for it. At least it used to be.... Not sure how else anyone is supposed to read your post ! I think my comments about it still stand. The "experts" on here spend a lot of time trying to help answer questions - I know that many experienced users and commercial providers who used to answer questions on here, no longer do for this exact reason. Community forums like this are great and really help promote what is a great product but some people abuse this and expect to get help for nothing and then make comments like this. Now, there has been a CubeCart problem that has caused some and maybe most of the problems reported in this thread. I know that Al is gutted by this - however, CubeCart is considerable more secure than many applications available. Believe me, I have seen plenty free and paid applications that clients have installed that have little or no thought for security and when a problem is discovered, the authors take days / weeks / months to fix. However, what I have been saying still holds true : 1) For this type of problem - your hosting company should be your first port of call. They should have the skills and inclination to help you diagnose the problem. Most of these types of problems can either be prevented in the first place or in the odd case like this where it is introduced as part of an application, should be easily found 2) This problem can and has been caused by several different factors - as I said earlier, I have direct knowledge of two sites just today that have experienced exactly the same type of problem and neither of them are CubeCart sites. Ian

I downloaded my copy of CC3.0.20 back in September and it has the file. This has been going on for a while I guess..... It is not in the download package of 3.0.18 I had and one of my stores that did get hacked was using that. That site does not have the T.php file on it and never has but has been hacked a lot. The version of 3.0.20 that I have and have used for clients was downloaded 16th Sept 2010 and doesnt have that file. No CubeCart V3 sites on our servers have been hacked. I have been told of two other websites (not CubeCart but html / php / js) that have had the same code injection problem so while this may be a possible solution for some, there are still other problems causing this. the trojan that was previously mentioned is also one possible way Ian

I hope there is a speedy resolution to this issue now that the cause has been found. Thanks for all your help Zomnut I am very put off by the lack of consideration the so called experts gave to this issue. Not very professional in my opinion. I have come to expect better from this group. Well as nobody else has seen what this "cause of the exploit" is it is extremely difficult to anyone else to comment. Even if it is an exploit in CubeCart then it isnt necessarily the same reason that other people are having this problem. ANY website (not just CubeCart) can be open to this type of problem, so lets just wait and see what Al has to say tomorrow. Still strange that of the tens if not hundreds of thousands of CubeCart 3 sites that are out there, there have been relatively few affected ! Also, apart from Al who owns CubeCart, everyone else on these forums offers their help and advice completely free and in their own time and without charge. To say that people have been unprofessional and that they have given a lack of consideration to this problem is rude and insulting ! The alternative to getting free support on these forums from professionals and other experienced end users, is for you to pay for CubeCart support either directly from CubeCart themselves or from one of the other companies that offer this service. Ian

This problem can also happen if people are connecting from behind corporate firewalls or other security software / hardware where they change the IP address. This shouldnt be the cause for most normal home users and the IE issue mentioned above is the most likely cause. Ian

For those of you still getting this problem - getting your host involved to diagnose the source of your specific problem and help you plug the security issue is the ONLY way. If they are unwilling or unable - then move to a different host ! As much as I and others would like to help further, if you have followed the various advice already given, then nobody on here is going to be able to help any further without server level access or very specific proof that CubeCart is the cause (which I personally believe to be a very small possibility) Ian

I bet you have a bot on your system tats gleaming your ftp passwords and usernames. change them from a different machine and you will find they cant get access - which means chnaging your usernames and hunting down the virus. and not storing your usernames and p/ws for FTprograms on your machine til you have found it. I have looked at my logs and can't find any FTP access to my site when it got hacked. I changed my password (from another machine) and still got hacked again. The only FTP access to my site came from my IP and I have kept track if when I log in and it's all right there with nothing else going on. It's just not adding up. As I have said several times before - there are any number of ways that this type of problem can be caused, so focusing on only one is not going to solve your problem ! Unless it is your own dedicated or VPS server then you will not be looking at the server access log unless your host has provided these which is extremely unlikely. Also just because you have used another PC, what is to say that this one isnt infected with the same problem (if this is indeed the method they are getting in - it is only one possibility !)

The problem is that there are : 1) Users that change permissions on files and directories without any idea of the possible consequences 2) incompetent hosts who are more than willing to take your money but then dont have the skills to diagnose this type of problem, dont have enough support staff or just cant be bothered. 3) So many viruses and other malicious code infecting people's insecure PC's that can then infect their own websites. There are several that record FTP passwords used on a PC and then use these to infect files on the website - to the log these will be recorded as if you had logged in yourself and changed the files ! If the problem is insecure permissions, account or server then doing what you suggest wouldnt solve the problem anyway but regardless of that, it isnt down to the developers to even try and fix (even if they could!) problems that arent caused by the application. You get what you pay for with your hosting - the companies out there that sell hosting space for a few pounds or dollars per month can only do so by 1) filling the server to (and often well over) capacity, making all the sites slow and 2) having little or no support. To compare an online store with a bricks and morter store - your web hosting account is the same as your shop. Would you run your business from a shop that had broken windows, a front door that didnt lock, had no burglar alarm and had 30 different vendors running shops from a space that was only designed for one shop. Too many people spend a lot of time and money designing a shop, buying stock and maybe advertising it and then go for the cheapest hosting. Ian

You need to find out which file has been hacked and then ask your hosting company to check through the logs around the time the file was changed. If they are unable or unwilling to do this analysis for you, then I suggest you find a hosting company that will - you will probably find that you wont have this problem if you do move anyway ! This is still almost certainly NOT a CubeCart problem otherwise there would be tens of thousands of sites being hit by what is a fairly simple automated script Ian

Look for the code shown in the window at the bottom of the General Settings in the section where you switch SEF url's on !! It should start with : ## Activate the mod_rewrite Engine RewriteEngine On Ian

That is true - the master category ID number has to exist already as a category for them to be added to that category ! Ian

Jeannie If they are in the View products then they are in the store but maybe you havent added them to a category - it is difficult to know what is going on without knowing the format of the csv files, which fields you are uploading and allocating or in fact even the url of your store ! The image field allows you to upload the url to the image but doesnt upload the actual image itself - you need to do that yourself. Ian

No problem. Al has given very clear instructions on the best way of preventing this from a CubeCart point of view if the store is either still on an old CC3 version or has been upgraded to 3.0.20 from an old version - it does seem interesting that the mass of reports suddenly seem to have died away. You dont say what version you are on and whether this was an upgrade from an older version or not. There have been several reports of this happening to a new 3.0.20 system and if this is the case then report these to Al as he will certainly investigate. However, even if this has happened, then it is still very unlikely to be a security hole in CubeCart itself. Most hosting businesses do not run their servers using suPHP which is an added layer of protection at the server level that almost immediately prevents this type of attack from happening. Without it, specific scripts with the wrong permissions in your hosting account or even worse, an insecure script with incorrect permissions in ANY hosting account on that server, can potentially cause this problem. As Al said, if a determined and very good hacker wants to get into a hosting server then they will (bearing in mind the types of sites that have been hacked in the past). However, these types of attacks are general script kiddies launching an automated attack across multiple servers which is probably why a sudden spate appeared. 1) Some applications do have problems but most like Al take security seriously and have their system professionally audited and will fix known exploits very quickly. 2) Most hosting companies could do more but when the cheapest of them pile thousands of websites onto one server and charge a few pounds per month - what do you really expect ? You always get what you pay for ! 3) Finally, the cause most often will be from the user. This can be incorrect installations, changing permissions on files incorrectly, making their FTP passwords very insecure (there is a reason most hosting companies generate a 10 or 12 digit random password when an account is setup!) or even more common these days is having an undetected virus on their PC which logs FTP passwords which are then broadcast to hackers. Clearing the infection and changing the FTP password in these cases will obviously have no effect ! Ian

Hi After battling against various issues for several clients with PayPal Pro and experiencing similar issues and more with PayPal, I have finally convinced the last of them to move to SagePay. Simple easy to use interface that always works. Fantastic support both as a user (I use them for all my own payments) but also as a developer / partner. People can still pay with PayPal through SagePay if they really wish ! No brainer ! Ian

Hi Jeannie A lot depends on the format of the csv file and how much detail is in the file (or that you want to import). There is a basic product import facility within CubeCart 4 in the admin menu - Import Catalogue. For more complex files or product sets you will either have to use some software or have a custom import script written for you. Much will also depend on whether this is a one-off load or something that needs to be daily / weekly Ian Hi Ian, Thanks for the reply. I can get the file uploaded into the Admin section, but then I have to go through each and every product to add it to my online store. Is there a way to have it all ready-to-go, and upload it to the store directly, in one shot, rather than one product at a time? Thanks, Jeannie Jeannie Not sure what you mean when you say you have to go through each product to add it - the import catalogue is a bulk import of basic product information. You can do a lot more manipulation using scripts and MySQL to do the import so there is always a way to do more ! Ian

Hi Jeannie A lot depends on the format of the csv file and how much detail is in the file (or that you want to import). There is a basic product import facility within CubeCart 4 in the admin menu - Import Catalogue. For more complex files or product sets you will either have to use some software or have a custom import script written for you. Much will also depend on whether this is a one-off load or something that needs to be daily / weekly Ian