Important security update for X-Cart

X-cart released a major security patch last week affecting versions from 4.0.0 – 4.7.8 (which means about 98% of the X-Cart Classic stores). Those security patches are fixing some major vulnerabilities and it’s critical to get them installed as soon as possible.

We are installing the patches for all of our clients hosted on our private servers. If your online store is using X-cart and is hosted on a shared package with us, please submit a request at http://mystorehelp.com with your store’s domain name and we will patch your store for you.

If you do not host with us, you are in big trouble! We  suggest you reach out to your host as soon as possible to update your setup. If they cannot, let us know and we may be able to help.

Check out the details of the update below.

Security patches for X-Cart 4 Classic are available. Apply the patch for your version to resolve the following security issues in your store.

1) Possible SQL injection related to all PayPal payment methods except for Website Payments Standard and PayPal Payments Standard Impact: An attacker can execute malicious SQL statements that will control the store database server. Affected versions: 4.0.0 – 4.7.8

2) XSS vulnerabilities in the Feature Comparison module and in the ‘Thank you for your order’ page Impact: Attackers can inject client-side malicious scripts into the store web pages that will harm the store visitors. Affected versions: 4.0.0 – 4.7.8

3) IPv6 not supported by User Access Control feature (restricting access to the admin back-end by IP) ImpactRestriction by IP not enabled when IPv6 is specified as the admin allowed IP in config.php; Inability to specify IPv6 on the ‘User access control’ page in the store’s admin area. Affected versions: 4.0.0 – 4.7.7

4) With the “Send to friend” form disabled and the Image Verification feature disabled for this form too, malicious bots can emulate this form and use it to send SPAM from the store email addressImpact: A lot of SPAM mail sent by the bots results in the ban for the store email address. I means that the store notifications (about placed orders, for example) to the administrator and to customers will not be delivered at all.

Affected versions: 4.0.0 – 4.7.8
To apply the patch on your own, follow the instructions: 1) Go to your Help Desk account https://secure.x-cart.com/ 2) Download the patch archive in File Area -> X-Cart 4 -> X-Cart supporting files for prev versions -> X-Cart 4.x. (find your branch) -> X-Cart 4.x.x (find your version) -> Updates and patches (security-patch-2018-02-06_4.x.х.tgz). 3) Unpack the archive you have downloaded. 4) Extract the README file from the archive. 5) Follow the instructions from it.

For vv4.6.3-4.7.8, the patches are available for each version. For v4.0.x, the patches are provided by request in reply to this messages. For versions 4.1.x-4.6.2, the patches are available for one version per branch and require adaptation for other versions: For v4.1.x, use the patch for v4.1.12  For v4.2.x – the patch for v4.2.3 For v4.3.x –  the patch for v4.3.2 For v4.4.x –  the patch for v4.4.5 For v4.5.x –  the patch for v4.5.5 For v4.6.0-v4.6.2 – the patch for v4.6.3

X-Cart engineers can apply the patch for you. It’s covered by our support services. If you would like X-Cart engineers to apply the patch for you, reply to this message and post access info to your server via a special secure form https://secure.x-cart.com/customer.php?area=center&target=customer_info#tab-create_access_info.

As an alternative solution you can upgrade your store to the latest version – 4.7.9. Upgrade packs are available in your Help Desk account in section File Area. The upgrade packs already include the patch. See upgrading instructions in X-Cart Knowledge Base https://help.x-cart.com/index.php?title=X-Cart:Upgrading. If you are interested in our upgrading services, reply to this message. A project manager will get back to you soon.

About the Author