Al Brookbanks Posted February 25, 2005 Share Posted February 25, 2005 CubeCart 2.0.6 can be downloaded from the Downloads section of this site. A manual fix is shown in the next post: Link to comment Share on other sites More sharing options...
Al Brookbanks Posted February 25, 2005 Author Share Posted February 25, 2005 ################################################## ###### UPGRADE FROM CubeCart 2.0.5 to 2.0.6 ###### ################################################## Thanks go to Lostmon and Booker! Changed files: 1. information.php - Fix path disclosure 2. language.php - Fix path disclosure 3. list_docs.php - Fix path disclosure 4. popular_prod.php - Fix path disclosure 5. sale.php - Fix path disclosure 6. subfooter.inc.php - Fix path disclosure 7. subheader.inc.php - Fix path disclosure 8. cat_navi.php - Fix path disclosure 9. check_sum.php - Fix path disclosure 10. ver.php - Changes Version Number 11. admin/orders.php - Date formatting discrepancy 12. settings.inc.php - Fix XSS Security Hole with GET Vars ################################# ## START OF MANUAL FIX ################################# 1. Fix Path Disclosure /////////////////////////////// // Open: // information.php // language.php // list_docs.php // popular_prod.php // sale.php // subfooter.inc.php // subheader.inc.php // cat_navi.php //////// At around line 26 find: +---------------------------------------------------- ***************************************************************************/ +---------------------------------------------------- Directly after (on the next line add): +---------------------------------------------------- if(!function_exists("sb")){ exit; } +---------------------------------------------------- 10. ver.php /////////////////////////////// // Open ver.php //////// Find +---------------------------------------------------- <?php $estore_ver="2.0.5"; ?> +---------------------------------------------------- Replace it with: +---------------------------------------------------- <?php $estore_ver="2.0.6"; ?> +---------------------------------------------------- 11. admin/orders.php /////////////////////////////// // Open admin/orders.php //////// Find +---------------------------------------------------- // US date format if($date_style=="1") { $date="$month/$day/$year";} // EU date format if($date_style=="0") { $date="$day/$month/$year";} +---------------------------------------------------- Replace it with: +---------------------------------------------------- if($date_style=="1") { $date="$day/$month/$year"; } else { $date="$month/$day/$year"; } +---------------------------------------------------- 12. admin/settings.inc.php /////////////////////////////// // Open admin/settings.inc.php //////// Find Line 26: +---------------------------------------------------- ***************************************************************************/ +---------------------------------------------------- Below it add: +---------------------------------------------------- // clean GET vars if (isset($_GET)){ foreach($_GET as $key => $value){ $$key = str_replace(array("\"","'"),"",strip_tags($value)); } } +---------------------------------------------------- ################################# ## END OF MANUAL FIX ################################# Link to comment Share on other sites More sharing options...
Recommended Posts