Shopping Cart Operations > Security
XSS Vulnerability Fix v1.15 to v1.2.7
eCommerce Core:
There is a cross-site scripting vulnerability was discovered in AbanteCart version 1.1.5 to 1.2.7
If you run AbanteCart v1.1.5 to v1.2.7, we suggest that you apply the fix provided below:
To apply the fix is very easy and can be done 2 different ways.
Option 1: replace the file /core/lib/request.php with attached request.php
OR
Option 2: replace the line in the file
In file: /core/lib/request.php
Locate code:
--- Code: --- public function decodeURI($uri) {
$params = array();
$open_uri = base64_decode($uri);
$split_parameters = explode('&', $open_uri);
for($i = 0; $i < count($split_parameters); $i++) {
$final_split = explode('=', $split_parameters[$i]);
$params[$final_split[0]] = $final_split[1];
}
return $parms;
}
--- End code ---
Replace line:
return $parms;
With:
return $this->clean($params);
Fix is complete
llegrand:
thank you for finding and posting this.
One Question - we need to make this fix on all installations until 1.2.8 is out? We should not think that you have made a file change in 1.2.7 download, is this correct?
Thanks
Lee
eCommerce Core:
This fix will be available in 1.2.8, but v1.15 to v1.2.7 inclusively strongly suggested be updated.
Thumper:
I have downloaded and updated the request.php file as indicated. Why does the message keep popping up as a new message in my admin portal? Can something be done to stop it since it is not a new message and I have taken care of it?
Joephelps:
i dont see a download for option 1
Navigation
[0] Message Index
[#] Next page
Go to full version