XSS Vulnerability Fix v1.15 to v1.2.7

eCommerce Core · June 14, 2016, 09:40:57 AM

There is a cross-site scripting vulnerability was discovered in AbanteCart version 1.1.5 to 1.2.7

If you run AbanteCart v1.1.5 to v1.2.7, we suggest that you apply the fix provided below:

To apply the fix is very easy and can be done 2 different ways.

Option 1: replace the file /core/lib/request.php with attached request.php

OR

Option 2: replace the line in the file

In file: /core/lib/request.php

Locate code:

Code Select

	public function decodeURI($uri) {
		$params = array();
		$open_uri = base64_decode($uri);

    	$split_parameters = explode('&', $open_uri);
    	for($i = 0; $i < count($split_parameters); $i++) {
        	$final_split = explode('=', $split_parameters[$i]);
        	$params[$final_split[0]] = $final_split[1];
    	}	
    	return $parms;
	}

Replace line:
return $parms;
With:
return $this->clean($params);

Fix is complete

llegrand · June 14, 2016, 02:40:07 PM

thank you for finding and posting this.

One Question - we need to make this fix on all installations until 1.2.8 is out? We should not think that you have made a file change in 1.2.7 download, is this correct?

Thanks
Lee

eCommerce Core · June 14, 2016, 03:04:15 PM

This fix will be available in 1.2.8, but v1.15 to v1.2.7 inclusively strongly suggested be updated.

Thumper · June 23, 2016, 04:43:27 PM

I have downloaded and updated the request.php file as indicated. Why does the message keep popping up as a new message in my admin portal? Can something be done to stop it since it is not a new message and I have taken care of it?

Joephelps · June 27, 2016, 11:10:16 PM

i dont see a download for option 1

llegrand · June 27, 2016, 11:57:21 PM

Look at the very end of the first post

it is an attached file

kenvice123 · July 04, 2016, 08:29:14 PM

please note that you must sign up / log in before you can download

Noah · July 16, 2016, 05:27:05 AM

Thanks for the heads up - it's done, and far easier to change the line of code

Kind Regards

ezeeozee · August 08, 2016, 09:56:42 AM

Thank you!

arifsajal · August 09, 2016, 01:06:41 PM

i fix this problem but still this message come in my inbox . what can i do for stop the messages

??

Charleymay · September 02, 2016, 11:35:26 AM

Can someone please help me. I am so new to this. I see the fix and what I am suppose to do, but where do I find the file?
Thanks in advance

abantecart · September 02, 2016, 12:52:16 PM

Quote from: Charleymay on September 02, 2016, 11:35:26 AM
Can someone please help me. I am so new to this. I see the fix and what I am suppose to do, but where do I find the file?
Thanks in advance

Did you read instructions provided by "eCommerce Core" above. It is not clear? Option 1 is the easiest one. Replace file and you are done.

eCommerce Core · September 02, 2016, 04:14:51 PM

Quote from: Charleymay on September 02, 2016, 11:35:26 AM
Can someone please help me. I am so new to this. I see the fix and what I am suppose to do, but where do I find the file?
Thanks in advance

File is located in your AbanteCart directory /core/lib/request.php. It can be starting from web root directory that is specific to your hosting environment.

MOS · March 06, 2017, 04:29:05 AM

Many thanks done via editing code nice and simple

News:

XSS Vulnerability Fix v1.15 to v1.2.7