Jump to content

CubeCart 2.0.6 Released


Al Brookbanks

Recommended Posts

##################################################

###### UPGRADE FROM CubeCart 2.0.5 to 2.0.6 ######

##################################################

Thanks go to Lostmon and Booker!



Changed files:

1. information.php  -	Fix path disclosure

2. language.php 	 -	Fix path disclosure

3. list_docs.php 	 -	Fix path disclosure

4. popular_prod.php  -	Fix path disclosure

5. sale.php 	 -	Fix path disclosure

6. subfooter.inc.php  -	Fix path disclosure 

7. subheader.inc.php  -	Fix path disclosure 

8. cat_navi.php 	 -	Fix path disclosure

9. check_sum.php  -	Fix path disclosure



10. ver.php 	 -	Changes Version Number



11. admin/orders.php  -	Date formatting discrepancy



12. settings.inc.php  -  Fix XSS Security Hole with GET Vars





#################################

## START OF MANUAL FIX 

#################################



1. Fix Path Disclosure





///////////////////////////////

// Open: 

// information.php

// language.php

// list_docs.php

// popular_prod.php

// sale.php

// subfooter.inc.php

// subheader.inc.php

// cat_navi.php

////////



At around line 26 find:

+----------------------------------------------------

***************************************************************************/

+----------------------------------------------------



Directly after (on the next line add):

+----------------------------------------------------

if(!function_exists("sb")){



	exit;



}

+----------------------------------------------------



10. ver.php

///////////////////////////////

// Open ver.php

//////// 

Find

+----------------------------------------------------

<?php

$estore_ver="2.0.5";

?>

+----------------------------------------------------



Replace it with:

+----------------------------------------------------

<?php

$estore_ver="2.0.6";

?>

+----------------------------------------------------





11. admin/orders.php

///////////////////////////////

// Open admin/orders.php

//////// 

Find

+----------------------------------------------------

// US date format



 if($date_style=="1")

  {

 $date="$month/$day/$year";}

 // EU date format

 if($date_style=="0")

  {

 $date="$day/$month/$year";}

+----------------------------------------------------



Replace it with:

+----------------------------------------------------



 if($date_style=="1")

  {

 $date="$day/$month/$year";

  } else {

 $date="$month/$day/$year";

  }

+----------------------------------------------------



12. admin/settings.inc.php

///////////////////////////////

// Open admin/settings.inc.php

////////

 

Find Line 26:

+----------------------------------------------------

***************************************************************************/

+----------------------------------------------------



Below it add:

+----------------------------------------------------

// clean GET vars

if (isset($_GET)){



	foreach($_GET as $key => $value){



  $$key = str_replace(array("\"","'"),"",strip_tags($value)); 



	}



}

+----------------------------------------------------





#################################

## END OF MANUAL FIX

#################################

Link to comment
Share on other sites

×
×
  • Create New...