PDA

View Full Version : osCMax Security Update - XSS flaw patched



michael_s
01-26-2009, 01:08 PM
A new blog entry has been added:

osCMax Security Update - XSS flaw patched


An XSS security flaw has been found in osCMax, specifically the printable catalog module. The flaw is in all 2.0 versions, including RC3, RC3.0.1, RC3.0.2, and RC4 SVN.

mfleeson
01-27-2009, 02:23 PM
Just to say Many many thanks.

Mark

michael_s
01-27-2009, 02:24 PM
No problem, now get that patch installed before something bad happens ;)

mfleeson
01-27-2009, 02:28 PM
Done and tested on my two stores before I wrote on the forum. Cheers. M

MindTwist
01-27-2009, 02:53 PM
Now to do some file comparing... Any hints on what code to change? My printable catalog with images is a bit customized, so I would have to compare my original file with the updated one to see what changes have been made, and apply.

Thanks!

MindTwist
01-27-2009, 02:56 PM
Forget my post, doing a file compare brought up the differences really quick :D

jquach
01-27-2009, 03:37 PM
Thanks for PMing about this security fix. Much appreciated.

seaserver
01-27-2009, 05:14 PM
I've created custom templates for all my stores and do not use the fallback template. Do I still need to apply the fix?

michael_s
01-27-2009, 06:16 PM
@seaserver: yes, you need to replace the fallback template file and if you also created custom content template files that have a catalog_products_with_images.tpl.php template, you will have to replace each one with this new file. Remember that if you don't create a custom content template file in your custom template folder, your custom template will grab the content template from the fallback directory. That is why it is called fallback... the system falls back to the fallback template if it cannot find a custom content template.

Here is a diff so you can see what was removed/added:
r89 - oscmax2 - Google Code (http://code.google.com/p/oscmax2/source/detail?r=89)

ecom
01-27-2009, 06:27 PM
FTP upload the included file to the /catalog/templates/fallback/content/ directory, overwriting the existing file.

im using the oscommerce-2.2rc2a ..didnt find template directory ..so ..
where do i overwrite the file?

michael_s
01-27-2009, 07:31 PM
This is for osCMax only, not osCommerce.

If you have installed the mod Printable Catalog into your standard osCommerce shop, go to addons.oscommerce.com and download the v3.6 printable catalog mod and use it to update your site.

If you have not installed Printable Catalog on your shop, this does not apply to you.



FTP upload the included file to the /catalog/templates/fallback/content/ directory, overwriting the existing file.

im using the oscommerce-2.2rc2a ..didnt find template directory ..so ..
where do i overwrite the file?

DreamOn2003
01-27-2009, 10:41 PM
Thanks a lot for the patch, but thanks for using pm also

jpf
01-27-2009, 11:27 PM
FTP upload the included file to the /catalog/templates/fallback/content/ directory, overwriting the existing file.

im using the oscommerce-2.2rc2a ..didnt find template directory ..so ..
where do i overwrite the file?


This is a osCMax release! Not a osCommerce RC2 release -----they don't have/use templates.

Dranoel
01-28-2009, 06:22 AM
Thanks for the security message--- file updated and works great!

johnedgley
01-30-2009, 02:16 AM
Many thanks for the pm and the speedy fix - much appreciated!

chevelle
02-02-2009, 07:59 AM
Hello Michael,

Sorry about the post to your Profile Page - Didn't know I should post this in the forum.


Trying to install the security fix dated Jan. 27, 2009.

Cart version v2.2 RC2 installed via Cpanel.

I don't see the path or file name via ftp.

/catalog/templates/fallback/content/

When viewing the cart I don't see a printable catalog link either.

Thanks,
Steve Boyd
Tucson, Arizona

mfleeson
02-02-2009, 08:32 AM
Hey Chevelle

The fix is only for oscmax users. 2.2RC2 is an oscommerce release so doesnt have templates.

Best Wishes

Mark

michael_s
02-02-2009, 09:04 AM
Steve, like Mark said, osCommerce 2.2RC2a is not affected by this security problem unless you manually added the Printable Catalog (any version prior to v3.6 which is the patch we released) to your osCommerce store.

If you are not using osCMax, and don't have printable catalog installed, you are safe from this one.

farhang_roosta
02-06-2009, 12:58 PM
thanks thanks

heatherk
03-31-2009, 12:42 PM
if this isn't fixed on the site, would it allow someone to upload files to your site - we recently had a site compromised and we're trying to figure out how they got in.

michael_s
03-31-2009, 12:45 PM
if this isn't fixed on the site, would it allow someone to upload files to your site - we recently had a site compromised and we're trying to figure out how they got in.

Yes this would allow file uploads.