Shopping Cart Operations > Security

XSS Vulnerability Fix v1.15 to v1.2.7

(1/3) > >>

eCommerce Core:
There is a cross-site scripting vulnerability was discovered in AbanteCart version 1.1.5 to 1.2.7

If you run AbanteCart v1.1.5 to v1.2.7, we suggest that you apply the fix provided below:

To apply the fix is very easy and can be done 2 different ways.

Option 1: replace the file /core/lib/request.php with attached request.php

OR

Option 2: replace the line in the file

In file: /core/lib/request.php

Locate code:

--- Code: --- public function decodeURI($uri) {
$params = array();
$open_uri = base64_decode($uri);

    $split_parameters = explode('&', $open_uri);
    for($i = 0; $i < count($split_parameters); $i++) {
        $final_split = explode('=', $split_parameters[$i]);
        $params[$final_split[0]] = $final_split[1];
    }
    return $parms;
}
--- End code ---

Replace line:
       return $parms;
With:
   return $this->clean($params);

Fix is complete

llegrand:
thank you for finding and posting this.

One Question -  we need to make this fix on all installations until 1.2.8  is out?  We should not think that you have made a file change in 1.2.7 download, is this correct?

Thanks
Lee

eCommerce Core:
This fix will be available in 1.2.8, but v1.15 to v1.2.7 inclusively strongly suggested be updated.

Thumper:
I have downloaded and updated the request.php file as indicated. Why does the message keep popping up as a new message in my admin portal? Can something be done to stop it since it is not a new message and I have taken care of it?

Joephelps:
i dont see a download for option 1

Navigation

[0] Message Index

[#] Next page