Guest PLMaster Posted November 2, 2009 Share Posted November 2, 2009 I'm running 4.2.2 because upgrading all twelve mods and trying to figure out the changes to a custom skin are too much for me to handle. I downloaded the session vulnerability file (replacing cc_admin_sessions) on this page: http://forums.cubecart.com/index.php?showtopic=39748# This causes the following error when you try to log in to admin: Error Message: 1054: Unknown column 'salt' in 'field list' SQL: SELECT `adminId`, `salt` FROM CubeCart_admin_users WHERE `username`='ThirdAdmin' When I first uploaded the file I was logged in already, and when I logged out to test logging in, I got this: Error Message: 1048: Column 'sessIp' cannot be null SQL: UPDATE CubeCart_admin_users SET `sessId` = NULL,`sessIp` = NULL,`browser` = NULL WHERE sessId = '293d4a444fc5d56b4d56bf24a4d61e18'; Is there a fix for this vulnerability that doesn't require a full upgrade? In the meantime I've reloaded our old admin sessions file. Thanks Quote Link to comment Share on other sites More sharing options...
onebrowncow Posted November 2, 2009 Share Posted November 2, 2009 I think we some clarity on exactly which versions of CC4 are affected. The news bulletin does not make it clear if older version 4's have the same vulnerability. The article detailing the issue mentions version 4.3.4 can someone advise if versions prior to 4.3.4 need a patch and how it should be done as clearly the patch released only works for 4.3.4 or above. Quote Link to comment Share on other sites More sharing options...
Jayden Posted November 3, 2009 Share Posted November 3, 2009 We are still using CC4.2.1 and have experienced exactly the same problem after only uploading the new cc_admin_session.php file over the existing one. We have then reverted the change to make the admin side work again. Quote Link to comment Share on other sites More sharing options...
Guest PLMaster Posted November 3, 2009 Share Posted November 3, 2009 It says CubeCart less than the latest, but higher than 3, so I'd assume that means me with 4.2.2. Unfortunately we can't fix it yet so does anyone have an answer to this? Quote Link to comment Share on other sites More sharing options...
Ausy Posted November 3, 2009 Share Posted November 3, 2009 It says CubeCart less than the latest, but higher than 3, so I'd assume that means me with 4.2.2. Unfortunately we can't fix it yet so does anyone have an answer to this? The issues are due to not running the latest versions, I know its a pain but surely its worthwhile ugrading your stores. There are many many bug fixes in the releases after your versions and some important upgrades if you use PayPal pro and other payment methods. I can tell you how to add the salt field to your database which will probably sort the first error you have but I don't know if that will cure or cause any other issues. Quote Link to comment Share on other sites More sharing options...
Guest PLMaster Posted November 3, 2009 Share Posted November 3, 2009 Adding the field would be fine but it took us so long just to get things to work after we GOT to 4.2.2 because we modified the look of the template. Any upgrading problems were almost always template problems and we could rarely get help because we didn't use an out of ox template as is. So now that it's stable we prefer to just do vulnerability patches and not go through the massive hassle upgrading has always been for us, dating back to when used V3. So, in short, adding the salt field would be helpful for us. Quote Link to comment Share on other sites More sharing options...
Ausy Posted November 3, 2009 Share Posted November 3, 2009 OK, go to phpmyadmin and on your database run this query. ALTER TABLE CubeCart_customer ADD salt VARCHAR(6) NOT NULL AFTER password Quote Link to comment Share on other sites More sharing options...
Guest gis100 Posted November 4, 2009 Share Posted November 4, 2009 go to phpmyadmin and on your database run this query. ALTER TABLE CubeCart_customer ADD salt VARCHAR(6) NOT NULL AFTER password Does this work for everybody??? I'm running 4.2.3 and I'll like to have some feedback of other customers before altering my database. Quote Link to comment Share on other sites More sharing options...
Ausy Posted November 4, 2009 Share Posted November 4, 2009 go to phpmyadmin and on your database run this query. ALTER TABLE CubeCart_customer ADD salt VARCHAR(6) NOT NULL AFTER password Does this work for everybody??? I'm running 4.2.3 and I'll like to have some feedback of other customers before altering my database. Yes it should do, see the latest release information here. http://forums.cubecart.com/index.php?showt...mp;#entry168534 Quote Link to comment Share on other sites More sharing options...
Guest imjesus Posted November 4, 2009 Share Posted November 4, 2009 I've run the script, and the SALT field is now there - but when I try and log in now, I can't. It just reloads the page, and wipes the fields, with no error message etc. Quote Link to comment Share on other sites More sharing options...
Guest imjesus Posted November 4, 2009 Share Posted November 4, 2009 Oh, by the way I'm running 4.1.1 - I've just restored the original file but now can't log in as any user? Please help! [RESOLVED] No worries, I sorted it, by manually resetting each Admin password in MySQL, it seems after adding the new column it made all my passwords unusable etc. Quote Link to comment Share on other sites More sharing options...
Guest PLMaster Posted November 5, 2009 Share Posted November 5, 2009 I just loaded the most recent sessions file they posted this morning to my 4.2.2, ran the salt query, and all is good except if I try to log out, when I get this: Error Message: 1048: Column 'sessIp' cannot be null SQL: UPDATE CubeCart_admin_users SET `sessId` = NULL,`sessIp` = NULL,`browser` = NULL WHERE sessId = '766486c7f01c059d52bec5ab580b012c'; Gotta be able to log out. Anyone have any ideas? Quote Link to comment Share on other sites More sharing options...
Dodgebill Posted November 5, 2009 Share Posted November 5, 2009 Manually reset the password? How? I have tried everything and it won't let me log in. I did the "reset password' thing from the admin login page and it still won't let me in. I have orders to get out and need back in fast! How can you reset it in the DB, or can you? Bill Quote Link to comment Share on other sites More sharing options...
Guest PLMaster Posted November 5, 2009 Share Posted November 5, 2009 The fix for my issue was this: ALTER TABLE `CubeCart_admin_users` CHANGE `sessIp` `sessIp` VARCHAR( 15 ) NULL DEFAULT NULL; Thanks Al Didn't have the password problem, so I'm not sure how to go about that. Quote Link to comment Share on other sites More sharing options...
Dodgebill Posted November 5, 2009 Share Posted November 5, 2009 I was able to get logged in after doing all the above BUT, I can't login securely anymore. The https login does not work still. Any ideas? Bill Quote Link to comment Share on other sites More sharing options...
Guest imjesus Posted November 6, 2009 Share Posted November 6, 2009 Great update huh! ;-) I fixed my 'not being able to log in' by resetting my password in the SQL field (myPhpAdmin) - looking under the Admin users table, and typing a new password in the 'password' field, and changing the field type to 'MD5' which then encrypts the password. I had to do this manually for each admin user before it worked. Quote Link to comment Share on other sites More sharing options...
Dodgebill Posted November 6, 2009 Share Posted November 6, 2009 Great update huh! ;-) Don't report the issue to support. Ask how I know..... something about shooting the messenger Is there a fix for this yet? I hate not logging in securely. Not that it matters, I don't see a bug fix for the secure cookie issue that leaves our stores wide open to attack. Maybe someday..... Quote Link to comment Share on other sites More sharing options...
Al Brookbanks Posted November 6, 2009 Share Posted November 6, 2009 We have made a new file for CubeCart < 4.3.0 to get over any "salt" problems. If you have updated the file and have problems logging in please update the file from the announcement and then use the password reset tool to regain access. http://forums.cubecart.com/index.php?showt...mp;#entry168534 Quote Link to comment Share on other sites More sharing options...
Jayden Posted November 7, 2009 Share Posted November 7, 2009 We have made a new file for CubeCart < 4.3.0 to get over any "salt" problems. If you have updated the file and have problems logging in please update the file from the announcement and then use the password reset tool to regain access. http://forums.cubecart.com/index.php?showt...mp;#entry168534 This has worked well for my CC4.2.1 store. Thanks. Next time please keep us (who are still using older CC4) in mind at the very beginning whenever you issue a critical patch, so we would NOT encounter unnecessary troubles, actually, lots of unnecessary troubles. Thanks again. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.