Guest garyccchan Posted May 26, 2007 Share Posted May 26, 2007 Hi all, This is the problem informed by my hosting company: /includes/orderSuccess.inc.php?&glob=25&cart_order_id=25&glob[rootDir]= Apparently there's an unsanitized include() statement performed on the $... variable of your script, which allows attackers to execute arbitrary PHP code with your user permissions. My hosting company informed me about this security hole. Can anyone tell me is there any fixes for this? I am using the old version 3.05 and i don't want to upgrade to the newer version yet. i checked through the web, the following line seems to be causing the problem include($glob['rootDir']."/classes/htmlMimeMail.php"); Your help will be high appreciated.. Gary Quote Link to comment Share on other sites More sharing options...
markscarts Posted May 26, 2007 Share Posted May 26, 2007 That is part of the reason there is a CubeCart 3.0.16 now Go to top of this page, find the downloads button, go there, login and look through all the CubeCart v. 3 files, from 3.0.6 on up. You will find mention of security holes and such that have been fixed as soon as they were discovered. Also, in the zip archives of most all these later versions, there are changelogs whereby you can see the actual areas that have been changed in the code for each version. You *may* find this a near-monumental task, maybe not, but some advice is in order here: Upgrade your store(s) to the latest version. Whatever your hesitance is, overcome it. If the task is beyond you, go to cubecart.org or google the web and find a professional to do it for you. In the end, you will be glad you upgraded, as there have been many security updates since 3.0.5 Quote Link to comment Share on other sites More sharing options...
Guest garyccchan Posted May 27, 2007 Share Posted May 27, 2007 That is part of the reason there is a CubeCart 3.0.16 now Go to top of this page, find the downloads button, go there, login and look through all the CubeCart v. 3 files, from 3.0.6 on up. You will find mention of security holes and such that have been fixed as soon as they were discovered. Also, in the zip archives of most all these later versions, there are changelogs whereby you can see the actual areas that have been changed in the code for each version. You *may* find this a near-monumental task, maybe not, but some advice is in order here: Upgrade your store(s) to the latest version. Whatever your hesitance is, overcome it. If the task is beyond you, go to cubecart.org or google the web and find a professional to do it for you. In the end, you will be glad you upgraded, as there have been many security updates since 3.0.5 Thanks for your information. So do you mean that the problem could be solved if i upgrade the version to 3.0.16? I had compared the two ordersuccess.inc.php files both in 3.05 and 3.0.16, both files are very similar. Regards, Quote Link to comment Share on other sites More sharing options...
markscarts Posted May 27, 2007 Share Posted May 27, 2007 Yes. Go ahead and read through the upgrade version files, you will see the info about security holes, security audits and security patches. Basically, if you stick with 3.0.5 you are asking for this type of trouble in my opinion. Quote Link to comment Share on other sites More sharing options...
Guest garyccchan Posted May 30, 2007 Share Posted May 30, 2007 Yes. Go ahead and read through the upgrade version files, you will see the info about security holes, security audits and security patches. Basically, if you stick with 3.0.5 you are asking for this type of trouble in my opinion. Thank you again... i have upgraded to 3.0.16 manually, I made changes files by files using winmerge, there is still a few error after the upgrade but i believe it is just minor coding mistake. However, when i checked the log file, the ordersuccess.ini.php still gives me hacking problem. Now, could i just remove the whole line include($glob['rootDir']."/classes/htmlMimeMail.php"); from the file instead.. Quote Link to comment Share on other sites More sharing options...
Guest Posted June 4, 2007 Share Posted June 4, 2007 This code prevents this file from being called by itself....so the line above wouldn't do anything. if (eregi(".inc.php",$HTTP_SERVER_VARS['PHP_SELF']) || eregi(".inc.php",$_SERVER['PHP_SELF'])) { echo "<html>\r\n<head>\r\n<title>Forbidden 403</title>\r\n</head>\r\n<body><h3>Forbidden 403</h3>\r\nThe document you are requesting is forbidden.\r\n</body>\r\n</html>"; exit; } :) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.