Latest News:
cpCommerce is officially unsupported
on February 04, 2010, 06:58:13 AM [View]
Welcome, Guest. Please login or register.
March 10, 2010, 02:58:26 AM
Show Unread Posts | View Replies to Your Posts


Login with username, password and session length
cpCommerce Support  |  Discussion  |  Announcements  |  Topic: v1.2.7 has been released! 0 Members and 1 Guest are viewing this topic.
Pages: [1] Send this topic Print
Author Topic: v1.2.7 has been released!  (Read 3272 times)
cpradio
Administrator
Scholarly Member
*****
Offline Offline

Posts: 4189


cpradio


View Profile
« on: November 30, 2008, 07:15:14 AM »
The next version of cpCommerce has been released to 1) provide better Url Rewriting support for servers running apache in a Microsoft Windows environment and 2) to correct a security vulnerability that would give an attacker the ability to forcefully login as an administrator without entering the correct email address or password.

I highly recommend that everyone upgrade to this version to secure a site running 1.2.6.

You can download the new version at the downloads page

As always, there is a patch file located in each Zip file.  If you have customizations, you can use a program like WinMerge to help merge the changes of 1.2.7 into your custom cpCommerce.
Report to moderator   Logged
cpradio
Administrator
Scholarly Member
*****
Offline Offline

Posts: 4189


cpradio


View Profile
« Reply #1 on: December 01, 2008, 08:13:50 AM »
I should mention that this vulnerability will only give admin rights, so the worst a hacker could do is modify your store contents.  They can't physically hack the website, change files, etc.  They can modify products, categories, manufacturers, announcements, purchases, etc.

The vulnerability is based on the URL Rewrite changes implemented.  If you do not use this functionality, you might not be affected, but I can't confirm or deny that at this moment.  I plan to also add more security around this settings to avoid future attacks against it in 1.2.8.

Again, I urge everyone to update their site, and I also urge them to remove any version/software name that appears in the template.  For example, I would remove the Powered By statement at the bottom.  Having it off the template will make it harder for a hacker to identify what software you are running.

Matt
Report to moderator   Logged
cpradio
Administrator
Scholarly Member
*****
Offline Offline

Posts: 4189


cpradio


View Profile
« Reply #2 on: December 02, 2008, 01:56:30 PM »
It has come to my attention that by utilizing the exploit in v1.2.6 (again this is slightly dependent on server configurations and whether or not you use the URL Rewrite module), the attacker once gaining Administrative privileges can upload a file with malicious content by altering your configuration settings to allow uploading of php files.

The attacker then just needs to execute the file.  Changes will be made to do the following in 1.2.8:
1) Make the code in _functions.php a bit more secure (it is secure in 1.2.7, but I can improve on it further)
2) All uploaded files will be chmoded to 0444 (read-only), thus preventing any execution of the files.

Matt
Report to moderator   Logged
Pages: [1] Send this topic Print 
cpCommerce Support  |  Discussion  |  Announcements  |  Topic: v1.2.7 has been released!
Jump to:  

Related Topics
Subject Started by Replies Views Last post
v1.0.5 being released on Sunday January 07th 2007! cpradio 0 773 January 05, 2007, 09:33:46 PM
by cpradio
cpCommerce v0.06 - Important Announcement cpradio 11 3271 August 28, 2003, 04:31:14 PM
by StevenD
v0.06d-2 to be released on Thursday cpradio 2 1152 September 28, 2004, 11:56:09 PM
by cpradio
v1.2.0 Released Tonight! cpradio 2 1087 June 26, 2008, 02:00:41 PM
by Jenius
Say 'Hello' to Bedio, Weztec, and Softnow cpradio 0 747 December 02, 2006, 09:57:46 PM
by cpradio

Powered by MySQL Powered by PHP cpCommerce Support | Powered by SMF 1.1.11.
© 2004, Simple Machines LLC. All Rights Reserved. 		Valid XHTML 1.0! Valid CSS!