Jump to content

Admin session patch causes SQL break


Guest PLMaster

Recommended Posts

Guest PLMaster

I'm running 4.2.2 because upgrading all twelve mods and trying to figure out the changes to a custom skin are too much for me to handle. I downloaded the session vulnerability file (replacing cc_admin_sessions) on this page: http://forums.cubecart.com/index.php?showtopic=39748#

This causes the following error when you try to log in to admin:

Error Message:

1054: Unknown column 'salt' in 'field list'



SQL:

SELECT `adminId`, `salt` FROM CubeCart_admin_users WHERE `username`='ThirdAdmin'




When I first uploaded the file I was logged in already, and when I logged out to test logging in, I got this:




Error Message:

1048: Column 'sessIp' cannot be null



SQL:

UPDATE CubeCart_admin_users SET `sessId` = NULL,`sessIp` = NULL,`browser` = NULL WHERE sessId = '293d4a444fc5d56b4d56bf24a4d61e18';

Is there a fix for this vulnerability that doesn't require a full upgrade? In the meantime I've reloaded our old admin sessions file.

Thanks

Link to comment
Share on other sites

I think we some clarity on exactly which versions of CC4 are affected. The news bulletin does not make it clear if older version 4's have the same vulnerability. The article detailing the issue mentions version 4.3.4 can someone advise if versions prior to 4.3.4 need a patch and how it should be done as clearly the patch released only works for 4.3.4 or above.

Link to comment
Share on other sites

Guest PLMaster

It says CubeCart less than the latest, but higher than 3, so I'd assume that means me with 4.2.2. Unfortunately we can't fix it yet so does anyone have an answer to this?

Link to comment
Share on other sites

It says CubeCart less than the latest, but higher than 3, so I'd assume that means me with 4.2.2. Unfortunately we can't fix it yet so does anyone have an answer to this?

The issues are due to not running the latest versions, I know its a pain but surely its worthwhile ugrading your stores. There are many many bug fixes in the releases after your versions and some important upgrades if you use PayPal pro and other payment methods.

I can tell you how to add the salt field to your database which will probably sort the first error you have but I don't know if that will cure or cause any other issues.

Link to comment
Share on other sites

Guest PLMaster

Adding the field would be fine but it took us so long just to get things to work after we GOT to 4.2.2 because we modified the look of the template. Any upgrading problems were almost always template problems and we could rarely get help because we didn't use an out of ox template as is. So now that it's stable we prefer to just do vulnerability patches and not go through the massive hassle upgrading has always been for us, dating back to when used V3. So, in short, adding the salt field would be helpful for us.

Link to comment
Share on other sites

go to phpmyadmin and on your database run this query.

ALTER TABLE CubeCart_customer ADD salt VARCHAR(6) NOT NULL AFTER password

Does this work for everybody??? I'm running 4.2.3 and I'll like to have some feedback of other customers before altering my database.

Link to comment
Share on other sites

go to phpmyadmin and on your database run this query.

ALTER TABLE CubeCart_customer ADD salt VARCHAR(6) NOT NULL AFTER password

Does this work for everybody??? I'm running 4.2.3 and I'll like to have some feedback of other customers before altering my database.

Yes it should do, see the latest release information here. http://forums.cubecart.com/index.php?showt...mp;#entry168534

Link to comment
Share on other sites

Guest imjesus

I've run the script, and the SALT field is now there - but when I try and log in now, I can't.

It just reloads the page, and wipes the fields, with no error message etc.

Link to comment
Share on other sites

Guest imjesus

Oh, by the way I'm running 4.1.1 - I've just restored the original file but now can't log in as any user?

Please help!

[RESOLVED]

No worries, I sorted it, by manually resetting each Admin password in MySQL, it seems after adding the new column it made all my passwords unusable etc.

Link to comment
Share on other sites

Guest PLMaster

I just loaded the most recent sessions file they posted this morning to my 4.2.2, ran the salt query, and all is good except if I try to log out, when I get this:

Error Message:

1048: Column 'sessIp' cannot be null

SQL:

UPDATE CubeCart_admin_users SET `sessId` = NULL,`sessIp` = NULL,`browser` = NULL WHERE sessId = '766486c7f01c059d52bec5ab580b012c';

Gotta be able to log out. Anyone have any ideas?

Link to comment
Share on other sites

Manually reset the password? How? I have tried everything and it won't let me log in. I did the "reset password' thing from the admin login page and it still won't let me in. I have orders to get out and need back in fast!

How can you reset it in the DB, or can you?

Bill

Link to comment
Share on other sites

Guest PLMaster

The fix for my issue was this:

ALTER TABLE `CubeCart_admin_users` CHANGE `sessIp` `sessIp` VARCHAR( 15 ) NULL DEFAULT NULL;

Thanks Al

Didn't have the password problem, so I'm not sure how to go about that.

Link to comment
Share on other sites

Guest imjesus

Great update huh! ;-)

I fixed my 'not being able to log in' by resetting my password in the SQL field (myPhpAdmin) - looking under the Admin users table, and typing a new password in the 'password' field, and changing the field type to 'MD5' which then encrypts the password.

I had to do this manually for each admin user before it worked.

Link to comment
Share on other sites

Great update huh! ;-)

Don't report the issue to support. Ask how I know..... something about shooting the messenger :rolleyes:

Is there a fix for this yet? I hate not logging in securely. Not that it matters, I don't see a bug fix for the secure cookie issue that leaves our stores wide open to attack. Maybe someday.....

Link to comment
Share on other sites

We have made a new file for CubeCart < 4.3.0 to get over any "salt" problems. If you have updated the file and have problems logging in please update the file from the announcement and then use the password reset tool to regain access.

http://forums.cubecart.com/index.php?showt...mp;#entry168534

This has worked well for my CC4.2.1 store. Thanks.

Next time please keep us (who are still using older CC4) in mind at the very beginning whenever you issue a critical patch, so we would NOT encounter unnecessary troubles, actually, lots of unnecessary troubles. Thanks again.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...