AbanteCart Community

Shopping Cart Operations => Security => Topic started by: eCommerce Core on June 14, 2016, 09:40:57 AM

Title: XSS Vulnerability Fix v1.15 to v1.2.7
Post by: eCommerce Core on June 14, 2016, 09:40:57 AM
There is a cross-site scripting vulnerability was discovered in AbanteCart version 1.1.5 to 1.2.7

If you run AbanteCart v1.1.5 to v1.2.7, we suggest that you apply the fix provided below:

To apply the fix is very easy and can be done 2 different ways.

Option 1: replace the file /core/lib/request.php with attached request.php

OR

Option 2: replace the line in the file

In file: /core/lib/request.php

Locate code:
Code: [Select]
public function decodeURI($uri) {
$params = array();
$open_uri = base64_decode($uri);

    $split_parameters = explode('&', $open_uri);
    for($i = 0; $i < count($split_parameters); $i++) {
        $final_split = explode('=', $split_parameters[$i]);
        $params[$final_split[0]] = $final_split[1];
    }
    return $parms;
}

Replace line:
       return $parms;
With:
   return $this->clean($params);

Fix is complete
Title: Re: XSS Vulnerability Fix v1.15 to v1.2.7
Post by: llegrand on June 14, 2016, 02:40:07 PM
thank you for finding and posting this.

One Question -  we need to make this fix on all installations until 1.2.8  is out?  We should not think that you have made a file change in 1.2.7 download, is this correct?

Thanks
Lee
Title: Re: XSS Vulnerability Fix v1.15 to v1.2.7
Post by: eCommerce Core on June 14, 2016, 03:04:15 PM
This fix will be available in 1.2.8, but v1.15 to v1.2.7 inclusively strongly suggested be updated.
Title: Re: XSS Vulnerability Fix v1.15 to v1.2.7
Post by: Thumper on June 23, 2016, 04:43:27 PM
I have downloaded and updated the request.php file as indicated. Why does the message keep popping up as a new message in my admin portal? Can something be done to stop it since it is not a new message and I have taken care of it?
Title: Re: XSS Vulnerability Fix v1.15 to v1.2.7
Post by: Joephelps on June 27, 2016, 11:10:16 PM
i dont see a download for option 1
Title: Re: XSS Vulnerability Fix v1.15 to v1.2.7
Post by: llegrand on June 27, 2016, 11:57:21 PM
Look at the very end of the first post

it is an attached file
Title: Re: XSS Vulnerability Fix v1.15 to v1.2.7
Post by: kenvice123 on July 04, 2016, 08:29:14 PM
please note that you must sign up / log in before you can download
Title: Re: XSS Vulnerability Fix v1.15 to v1.2.7
Post by: Noah on July 16, 2016, 05:27:05 AM
Thanks for the heads up - it's done, and far easier to change the line of code  ;)

Kind Regards
Title: Re: XSS Vulnerability Fix v1.15 to v1.2.7
Post by: ezeeozee on August 08, 2016, 09:56:42 AM
Thank you!
Title: Re: XSS Vulnerability Fix v1.15 to v1.2.7
Post by: arifsajal on August 09, 2016, 01:06:41 PM
i fix this problem but still this message come in my inbox . what can i do for stop the messages ???????????
Title: Re: XSS Vulnerability Fix v1.15 to v1.2.7
Post by: Charleymay on September 02, 2016, 11:35:26 AM
Can someone please help me. I am so new to this. I see the fix and what I am suppose to do, but where do I find the file?
Thanks in advance
Title: Re: XSS Vulnerability Fix v1.15 to v1.2.7
Post by: abantecart on September 02, 2016, 12:52:16 PM
Can someone please help me. I am so new to this. I see the fix and what I am suppose to do, but where do I find the file?
Thanks in advance
Did you read instructions provided by "eCommerce Core" above. It is not clear? Option 1 is the easiest one. Replace file and you are done.
Title: Re: XSS Vulnerability Fix v1.15 to v1.2.7
Post by: eCommerce Core on September 02, 2016, 04:14:51 PM
Can someone please help me. I am so new to this. I see the fix and what I am suppose to do, but where do I find the file?
Thanks in advance
File is located in your AbanteCart directory /core/lib/request.php. It can be starting from web root directory that is specific to your hosting environment.
Title: Re: XSS Vulnerability Fix v1.15 to v1.2.7
Post by: MOS on March 06, 2017, 04:29:05 AM
Many thanks done via editing code nice and simple :)