Author Topic: XSS Vulnerability Fix v1.15 to v1.2.7  (Read 23776 times)

Offline eCommerce Core

  • Administrator
  • Hero Member
  • *****
  • Posts: 1602
  • Karma: +93/-1
    • View Profile
XSS Vulnerability Fix v1.15 to v1.2.7
« on: June 14, 2016, 09:40:57 AM »
There is a cross-site scripting vulnerability was discovered in AbanteCart version 1.1.5 to 1.2.7

If you run AbanteCart v1.1.5 to v1.2.7, we suggest that you apply the fix provided below:

To apply the fix is very easy and can be done 2 different ways.

Option 1: replace the file /core/lib/request.php with attached request.php

OR

Option 2: replace the line in the file

In file: /core/lib/request.php

Locate code:
Code: [Select]
public function decodeURI($uri) {
$params = array();
$open_uri = base64_decode($uri);

    $split_parameters = explode('&', $open_uri);
    for($i = 0; $i < count($split_parameters); $i++) {
        $final_split = explode('=', $split_parameters[$i]);
        $params[$final_split[0]] = $final_split[1];
    }
    return $parms;
}

Replace line:
       return $parms;
With:
   return $this->clean($params);

Fix is complete
“If you’re in the luckiest one per cent of humanity, you owe it to the rest of humanity to think about the other 99 per cent.”
― Warren Buffett

Offline llegrand

  • Hero Member
  • *****
  • Posts: 1811
  • Karma: +526/-7
    • View Profile
Re: XSS Vulnerability Fix v1.15 to v1.2.7
« Reply #1 on: June 14, 2016, 02:40:07 PM »
thank you for finding and posting this.

One Question -  we need to make this fix on all installations until 1.2.8  is out?  We should not think that you have made a file change in 1.2.7 download, is this correct?

Thanks
Lee

Offline eCommerce Core

  • Administrator
  • Hero Member
  • *****
  • Posts: 1602
  • Karma: +93/-1
    • View Profile
Re: XSS Vulnerability Fix v1.15 to v1.2.7
« Reply #2 on: June 14, 2016, 03:04:15 PM »
This fix will be available in 1.2.8, but v1.15 to v1.2.7 inclusively strongly suggested be updated.
“If you’re in the luckiest one per cent of humanity, you owe it to the rest of humanity to think about the other 99 per cent.”
― Warren Buffett

Offline Thumper

  • Newbie
  • *
  • Posts: 13
  • Karma: +1/-0
    • View Profile
Re: XSS Vulnerability Fix v1.15 to v1.2.7
« Reply #3 on: June 23, 2016, 04:43:27 PM »
I have downloaded and updated the request.php file as indicated. Why does the message keep popping up as a new message in my admin portal? Can something be done to stop it since it is not a new message and I have taken care of it?

Offline Joephelps

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: XSS Vulnerability Fix v1.15 to v1.2.7
« Reply #4 on: June 27, 2016, 11:10:16 PM »
i dont see a download for option 1

Offline llegrand

  • Hero Member
  • *****
  • Posts: 1811
  • Karma: +526/-7
    • View Profile
Re: XSS Vulnerability Fix v1.15 to v1.2.7
« Reply #5 on: June 27, 2016, 11:57:21 PM »
Look at the very end of the first post

it is an attached file

Offline kenvice123

  • Newbie
  • *
  • Posts: 1
  • Karma: +1/-0
    • View Profile
Re: XSS Vulnerability Fix v1.15 to v1.2.7
« Reply #6 on: July 04, 2016, 08:29:14 PM »
please note that you must sign up / log in before you can download

Offline Noah

  • Newbie
  • *
  • Posts: 1
  • Karma: +1/-0
  • Live, Learn, laugh and Love
    • View Profile
    • Shadow Crown
Re: XSS Vulnerability Fix v1.15 to v1.2.7
« Reply #7 on: July 16, 2016, 05:27:05 AM »
Thanks for the heads up - it's done, and far easier to change the line of code  ;)

Kind Regards
If you keep doing what you're always doing, you'll keep getting what you're always getting!

Continual improvement...

Offline ezeeozee

  • Newbie
  • *
  • Posts: 11
  • Karma: +4/-0
    • View Profile
Re: XSS Vulnerability Fix v1.15 to v1.2.7
« Reply #8 on: August 08, 2016, 09:56:42 AM »
Thank you!

Offline arifsajal

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: XSS Vulnerability Fix v1.15 to v1.2.7
« Reply #9 on: August 09, 2016, 01:06:41 PM »
i fix this problem but still this message come in my inbox . what can i do for stop the messages ???????????

Offline Charleymay

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: XSS Vulnerability Fix v1.15 to v1.2.7
« Reply #10 on: September 02, 2016, 11:35:26 AM »
Can someone please help me. I am so new to this. I see the fix and what I am suppose to do, but where do I find the file?
Thanks in advance

Offline abantecart

  • Administrator
  • Hero Member
  • *****
  • Posts: 4362
  • Karma: +301/-10
    • View Profile
    • Ideal Open Source Ecommerce Solution
Re: XSS Vulnerability Fix v1.15 to v1.2.7
« Reply #11 on: September 02, 2016, 12:52:16 PM »
Can someone please help me. I am so new to this. I see the fix and what I am suppose to do, but where do I find the file?
Thanks in advance
Did you read instructions provided by "eCommerce Core" above. It is not clear? Option 1 is the easiest one. Replace file and you are done.
Please  rate your experience or leave your review
We need your help to build better free open source ecommerce platform for everyone. See how you can help

Offline eCommerce Core

  • Administrator
  • Hero Member
  • *****
  • Posts: 1602
  • Karma: +93/-1
    • View Profile
Re: XSS Vulnerability Fix v1.15 to v1.2.7
« Reply #12 on: September 02, 2016, 04:14:51 PM »
Can someone please help me. I am so new to this. I see the fix and what I am suppose to do, but where do I find the file?
Thanks in advance
File is located in your AbanteCart directory /core/lib/request.php. It can be starting from web root directory that is specific to your hosting environment.
“If you’re in the luckiest one per cent of humanity, you owe it to the rest of humanity to think about the other 99 per cent.”
― Warren Buffett

Offline MOS

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: XSS Vulnerability Fix v1.15 to v1.2.7
« Reply #13 on: March 06, 2017, 04:29:05 AM »
Many thanks done via editing code nice and simple :)

 

Powered by SMFPacks Social Login Mod