ordersuccess.inc.php being compromised

[Guest garyccchan]

Hi all,

This is the problem informed by my hosting company: /includes/orderSuccess.inc.php?&glob=25&cart_order_id=25&glob[rootDir]=

Apparently there's an unsanitized include() statement performed on the $...

variable of your script, which allows attackers to execute arbitrary PHP

code with your user permissions.

My hosting company informed me about this security hole. Can anyone tell me is there any fixes for this? I am using the old version 3.05 and i don't want to upgrade to the newer version yet. i checked through the web, the following line seems to be causing the problem

include($glob['rootDir']."/classes/htmlMimeMail.php");

Your help will be high appreciated..

Gary

[markscarts]

That is part of the reason there is a CubeCart 3.0.16 now

Go to top of this page, find the downloads button, go there, login and look through all the CubeCart v. 3 files, from 3.0.6 on up. You will find mention of security holes and such that have been fixed as soon as they were discovered. Also, in the zip archives of most all these later versions, there are changelogs whereby you can see the actual areas that have been changed in the code for each version.

You *may* find this a near-monumental task, maybe not, but some advice is in order here: Upgrade your store(s) to the latest version. Whatever your hesitance is, overcome it. If the task is beyond you, go to cubecart.org or google the web and find a professional to do it for you. In the end, you will be glad you upgraded, as there have been many security updates since 3.0.5

[Guest garyccchan]

That is part of the reason there is a CubeCart 3.0.16 now

Go to top of this page, find the downloads button, go there, login and look through all the CubeCart v. 3 files, from 3.0.6 on up. You will find mention of security holes and such that have been fixed as soon as they were discovered. Also, in the zip archives of most all these later versions, there are changelogs whereby you can see the actual areas that have been changed in the code for each version.

You *may* find this a near-monumental task, maybe not, but some advice is in order here: Upgrade your store(s) to the latest version. Whatever your hesitance is, overcome it. If the task is beyond you, go to cubecart.org or google the web and find a professional to do it for you. In the end, you will be glad you upgraded, as there have been many security updates since 3.0.5

Thanks for your information. So do you mean that the problem could be solved if i upgrade the version to 3.0.16? I had compared the two ordersuccess.inc.php files both in 3.05 and 3.0.16, both files are very similar.

Regards,

[markscarts]

Yes.

Go ahead and read through the upgrade version files, you will see the info about security holes, security audits and security patches.

Basically, if you stick with 3.0.5 you are asking for this type of trouble in my opinion.

[Guest garyccchan]

Yes.

Go ahead and read through the upgrade version files, you will see the info about security holes, security audits and security patches.

Basically, if you stick with 3.0.5 you are asking for this type of trouble in my opinion.

Thank you again... i have upgraded to 3.0.16 manually, I made changes files by files using winmerge, there is still a few error after the upgrade but i believe it is just minor coding mistake. However, when i checked the log file, the ordersuccess.ini.php still gives me hacking problem. Now, could i just remove the whole line include($glob['rootDir']."/classes/htmlMimeMail.php"); from the file instead..

[Guest]

This code prevents this file from being called by itself....so the line above wouldn't do anything.

if (eregi(".inc.php",$HTTP_SERVER_VARS['PHP_SELF']) || eregi(".inc.php",$_SERVER['PHP_SELF'])) { 

	echo "<html>\r\n<head>\r\n<title>Forbidden 403</title>\r\n</head>\r\n<body><h3>Forbidden 403</h3>\r\nThe document you are requesting is forbidden.\r\n</body>\r\n</html>";

	exit;

}

:)