Jump to content
Sign in to follow this  
Al Brookbanks

CubeCart 3.0.20 Released

Recommended Posts

CubeCart 3.0.20 has just been released after a vulnerability was discovered from a McAfee Secure vulnerability scan. The vulnerability allows for an SQL Error disclosure or possible SQL Injection.

The fix is very straightforward. Either replace your existing file with the one attached below;

includes/boxes/shoppingCart.inc.php

shoppingCart.inc.php

Or the file can be patched manually by making the following code change on line 113:

Find:

$option = $db->select("SELECT ".$glob['dbprefix']."CubeCart_options_bot.option_id, ".$glob['dbprefix']."CubeCart_options_bot.value_id, option_price, option_symbol, assign_id FROM `".$glob['dbprefix']."CubeCart_options_bot` INNER JOIN `".$glob['dbprefix']."CubeCart_options_mid` ON ".$glob['dbprefix']."CubeCart_options_mid.value_id = ".$glob['dbprefix']."CubeCart_options_bot.value_id INNER JOIN `".$glob['dbprefix']."CubeCart_options_top` ON ".$glob['dbprefix']."CubeCart_options_bot.option_id = ".$glob['dbprefix']."CubeCart_options_top.option_id WHERE assign_id = ".$value);



Replace with:
$option = $db->select("SELECT ".$glob['dbprefix']."CubeCart_options_bot.option_id, ".$glob['dbprefix']."CubeCart_options_bot.value_id, option_price, option_symbol, assign_id FROM `".$glob['dbprefix']."CubeCart_options_bot` INNER JOIN `".$glob['dbprefix']."CubeCart_options_mid` ON ".$glob['dbprefix']."CubeCart_options_mid.value_id = ".$glob['dbprefix']."CubeCart_options_bot.value_id INNER JOIN `".$glob['dbprefix']."CubeCart_options_top` ON ".$glob['dbprefix']."CubeCart_options_bot.option_id = ".$glob['dbprefix']."CubeCart_options_top.option_id WHERE assign_id = ".$db->mySQLSafe($value));

A file comparison report has been bundled in the "changelog" folder.

Download CubeCart 3.0.20 Here

Share this post


Link to post
Share on other sites

Sign in to follow this  

×
×
  • Create New...