3.07 so when 3.08??

[Guest]

As someone who uses Cubecart as a storeowner and not developer I am astounded by the frequency of new versions instead of real update patches. Why is V3.07 being released because of two security problems. There is a patch for the first security issue so why isn't there one for the second security issue.

I have monitored Cubecart for sometime now and one of the reasons that always put me off was the frequency of new versions when in reality it just needed a patch. As far as I am concerned I am witnessing a fantastic cart being ruined by the frequency of new versions.

Brooky, you have to realise that we cannot keep upgrading when a simple patch is all that is needed. At least give us the patches like the first security issue in the upload.php so we can make our own choices.

[Guest digilution]

What I need to know is :

Can I just upload the 2 new patches and overwrite the existing ones. If so, would I have to change any other files.

Is uploading the new version the same method as installing from new. If so, what will happen to all my modified files?

[Guest cntgifts]

modified files will be replaced wit hthe new files there for removing and modificatiosn you have made

[Al Brookbanks]

All software has security issues.

e.g. Windows XP released in 2002 and still has updates.

A major security hole was found in 3.0.x which had to be fixed. I wanted 3.0.7 to be the absolute final release before 3.1.0 which will have improved features. There are still a few minor bugs in 3.0.7 but it was vital to patch it and get a release out today.

Our server was attacked today via out demo store which I hope you will agree proves the seriousness of this release.

Remote perl scripts can be executed on your server if you don't upgrade showing sensitive information and possibly even turning your server into a spam server without you knowing.

I cannot support hacks/mods made to your stores. It has been a stressful day.

Edited December 29, 2005 by brooky

[Guest cntgifts]

is there a way to manually update without loading all the new files

[Guest estelle]

Edit: deleted.

Edited December 29, 2005 by estelle

[Guest]

All software has security issues.

e.g. Windows XP released in 2002 and still has updates.

A major security hole was found in 3.0.x which had to be fixed. I wanted 3.0.7 to be the absolute final release before 3.1.0 which will have improved features. There are still a few minor bugs in 3.0.7 but it was vital to patch it and get a release out today.

Our server was attacked today via out demo store which I hope you will agree proves the seriousness of this release.

Remote perl scripts can be executed on your server if you don't upgrade showing sensitive information and possibly even turning your server into a spam server without you knowing.

I cannot support hacks/mods made to your stores. It has been a stressful day.

you have an great software, updates and fixes are normal and help every admin.

The only problem are the mods maybe there is a way in future that mods have a better integration, that they need no changes in main files.

[Guest]

As someone who uses Cubecart as a storeowner and not developer I am astounded by the frequency of new versions instead of real update patches. Why is V3.07 being released because of two security problems. There is a patch for the first security issue so why isn't there one for the second security issue.

I have monitored Cubecart for sometime now and one of the reasons that always put me off was the frequency of new versions when in reality it just needed a patch. As far as I am concerned I am witnessing a fantastic cart being ruined by the frequency of new versions.

Brooky, you have to realise that we cannot keep upgrading when a simple patch is all that is needed. At least give us the patches like the first security issue in the upload.php so we can make our own choices.

Do you not think its better for new customers to have a complete backage with the paches already installed. I for one would hate having to isntall a script, then install 8-10 parches.

[Guest]

Sorry you're having such a stressful day. Thanks for working on this ASAP rather than sweeping it under the rug (as some would do). Ah, the joy of being responsable for a major software project.

I imagine you're already looking into this, but I think it would be helpful to know what server environments are returning 403 errors after the latest security patch. You would think that $_SERVER['PHP_SELF'] would absolutely always be available to parse for the script name, but apparently there are some exceptions to this rule. I believe that in these cases $_SERVER['SCRIPT_NAME'] works as a substitute, but I have not yet come across an appropriately retarded server to test it on.

In theory SCRIPT_NAME is about as ubiquitous as PHP_SELF: http://koivi.com/apache-iis-php-server-array.php

Perhaps those who are having problems can post their server info (OS and version, PHP version, Apache entended options and register globals on/off, etc.)? I don't think that the SEF URL mods should affect this, but it might be worth checking. I would think that PHP_SELF should be independent of any displayed URL.

Another method that might be both more secure and reliable might be to set a config value for your server IP and check that instead. Those who use dynamic IPs might be inconvenienced, but then who does that with a store app anyway? Other than for testing purposes I can't see why you would.

Anyway just my two cents. Take a deep breath and don't freak out. It'll get fixed.

[Guest aikdo]

the idea of using PHP_SELF is to make sure that it is not being directly opened it is workin to a majority at the moment but the extra file names IE orders.php and print.php need to be added to the list of available file names...

[Guest]

the idea of using PHP_SELF is to make sure that it is not being directly opened it is workin to a majority at the moment but the extra file names IE orders.php and print.php need to be added to the list of available file names...

Yep. I get that. But it seems as if some folks are not getting access to their site AT ALL after this patch, which seems to me to indicate that the PHP_SELF variable is not present to parse (or blank).

I've read that on Xitami IIS servers $_SERVER['PHP_SELF'] is sometimes unavailable (go figure). And I think that depending upon your Apache configs it sometimes returns a blank string when calling your server root (e.g. not www.mysite.com/index.php but just www.mysite.com). That would of course also cause this code to return a 403 error.

You would think that if anything in life could be counted on then $_SERVER['PHP_SELF'] would be one of those things, but...

Anyway that may not be the issue for those folks who are having more severe problems, but it's worth comparing their server setups to find out (if they're all Xitami Windows servers...).

And yep you're right about those other file names also.

Personally I'm going to wait a few days before installing this patch, since my store isn't live yet anyway.

[Guest aikdo]

I understand where your comming from now ... ill look into this with possibly a switch depending on the windows setup...

[Al Brookbanks]

Thanks I had a nasty feeling this could be an issue but I think its better to have a 403 than self mutating porno spaming script prostituting itself on your server.

For the masses I think todays fix is spot on however I'll have a think and see if we can find a more universally amaicable solution.

Thanks to all for their fantastic support. Onward upward...

Edited December 29, 2005 by brooky

[Guest clothahump]

Found them. D'oh............

Keep up the good work Brooky. :whistle:

Edited December 29, 2005 by clothahump

[Guest ant0]

For the masses I think todays fix is spot on

Other than all the 403 errors we are getting as a result of the fix - can't view orders, print order form, etc.

however I'll have a think and see if we can find a more universally amaicable solution.

I trust this will be put out tomorrow, to fix all the 403 errors? Otherwise orders may be piling up with no way to access them in admin.

[Guest theorbo]

Well, gee guys. Apparently YOUR hosts don't do as mine did - shut the script down ENTIRELY, making the complete install unavailable to me until I have the upgrade ready to go.

For me, this is not a problem. My install is a "messing with it" one, while I figure out where I'm going from here. So while the shutdown created no big problems for me, I'm sure something like my host did could have caused even more havoc for those with busy stores.

You'd all better be DAMN GRATEFUL that this didn't occur the last week of holiday order time.

Brooky, you're to be congratulated for getting a fix for this out in such short order. I don't blame you, OR my host, for what happened.

[Guest Marshalls]

Well, I myself get tired of upgrading all the time, but you know what? If the upgrades stop coming, Well I might not be a happy person, personaly I think its great that brooky and others keep working on cube cart everyday and make it better and better..

To the people who complain about all the upgrades in versions? THEN DONT DO THE UPGRADE! its that simple.

I just wish the upgrades worked fresh out of the box

How do we know if someone is using out cart the wrong way? the reason for these upgrades? is there a way to tell?

[Guest theorbo]

What my host told me, Marshalls, was that those on their servers who had attacks occur wound up with "massively proliferating porn" that they couldn't stop, some of which wound up on their own machines (and presumably customers' machines as well - which is MORE than ugly from any number of directions).

They had two reports before receiving the info (from Deveillion Ltd. I presume) that there was a problem and that a fix/upgrade was in process. By that time, my host had done a servers-wide seek-and-shut-down which rendered CubeCart effectively harmless until upgrade - by that I mean that the host disabled access to EVERY CubeCart install on all of their servers. One of the support guys I talked to said that was a couple thousand installs. They also verified my upgrade in detail before emailing me that they were satisfied, so I guess it was a really ugly thing for the host itself to contemplate dealing with large-scale.

So I feel very lucky. I'm sure there are some pretty unhappy people out there; then again, "massively proliferating porn" isn't guaranteed to make any real happy campers either....

[Guest]

Orbo, you should ask them why on earth they have RegisterGlobals enabled on a production server? It's just begging for security exploits. Seriously....

:errm:

[Guest TheWetFish]

is there a way to manually update without loading all the new files

I would like to know also. Uploading all these files again is time consuming when on a dial up connection speed of 19.2kbps. Honestly I would rather have the needed info for what needs to be adjusted and be able to edit files when not online and then upload them once they are ready. That way any mods added wont be effected also.

Thanks,

Matt

[Guest aikdo]

Win Merge is your best friend, check it out it will tell you what you need to change...

[Guest theorbo]

Since Register Globals isn't enabled on the server my stuff lives on, it's really none of my business. They shut my installs down as part of their servers-wide containment, which is fine. They'd forgotten I asked them to turn RG off when I set up with them apparently. I'm sure they're in process of finding out why it was on anywhere now!

[Guest timecrisis]

To the people who complain about all the upgrades in versions? THEN DONT DO THE UPGRADE! its that simple.

I just wish the upgrades worked fresh out of the box

How do we know if someone is using out cart the wrong way? the reason for these upgrades? is there a way to tell?

Hi All and Marshalls,

I wanted to write this when .6 came out but thought i would hold and see what the next release was like...

Well, I don't agree that people should not upgrade if the upgrade has bugs...The upgrade should not be released until it is bug free (ish).

Security fixes are one thing, Great, thankyou I don't want mutating porn spam with my breakfast...

But it appears there are other bugs with PayPal order status etc...

I personally will not be upgrading until there is a new version with the bugs fixed. I went through all this with .6 and I think similar comments were made about new releases. Could beta release not be a solution as people seem to find these bugs quite quickly and willing coders/Brookys team? can test the beta out.

I think if this was an open source project then fine let the community work on it and fix it..I am not having a go at the great coders who are on this forum, they have helped me loads. But as a commercial product I feel the community is being relied on too heavily to fix buggy releases.

Sorry if anyone finds this offensive and I am not trying to put any forum members down but I don't think the current way versions are released is correct.

I agree with Marshalls in that we need more documentation of what has changed in a new version, I should not need to be using Winmerge, as a designer it doesn't tell me anything anyway! =)

But hey what do I know...I just hate sorting bugs when I should be playing with pretty colours in Pshop...Oh it is a hard life.... :sourcerer:

[Guest]

timecrisis, this very issue is being dealt with right now. I believe there will soon be a small core group of us who will "test drive" the new releases before the general public gets them. This team of qualified people should be able to squash 90%+ of the sniggly little things that have plagued previous releases. This will help EVERYBODY out in the long run.

:errm:

[Guest overdrive]

Hi, Sir William, I've updated my install to 3.07 (even though admin is still flashing that there is an update available for my 3.06, don't know why that is). As my store isn't live yet I've no idea about the 403 and PayPal orders errors others are reporting.

What I'd like to know is, should I go back to 3.06 and manually change the security holes or leave 3.07 and patch it up? (I changed the 'ugger is not a word' thing already.) General concensus seems mixed across forum veterans.

cheers TC