CubeCart v4 Security Patch

[Al Brookbanks]

*Please note that this issue does not affect CubeCart v3 at all.*

This morning it has been bought to our attention that there is a security hole in CubeCart v4. A cross site scripting vulnerability has been discovered caused by a fault in the global sanitisation class of the ini.inc.php file.

There are two methods to patch your store:

1. Open the ini.inc.php file found in the stores root folder and find:

	function safety($val) {

		## strip null bytes

		$val = str_replace("\0", '', $val);

		## add slashes if magic quotes is off

		$val = (!get_magic_quotes_gpc()) ? addslashes($val) : $val;

		//return htmlspecialchars(strip_tags($val), ENT_NOQUOTES);

		return $val;

	}

Replace with:

	function safety($val) {

		return filter_var($val, FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES);

	}

2. Please upgrade to CubeCart 4.3.1-pl1 which is a patch level release of CubeCart 4.3.1 containing this code patch. This can be found in your customer area.

We apologize for any inconvenience caused. One of our customers stores was affected by this security hole and for security reasons we will not disclose how the vulnerability could be replicated. These matters are of utmost importance to us and we have managed to resolve this issue in less than an hour after our staff were made aware of it. Please be sure to subscribe to this forum and our newsletter for future CubeCart news & announcements.