TomatoCart

TomatoCart Community
Welcome, Guest
Please Login or Register.    Lost Password?

TomatoCart 1.1.8.1 Security Release!
(1 viewing) (1) Guest
Go to bottomPage: 12345
TOPIC: TomatoCart 1.1.8.1 Security Release!
*
#22544
TomatoCart 1.1.8.1 Security Release! 1 Year, 6 Months ago Karma: 58
Dear members,

The TomatoCart Project announces the immediate availability of TomatoCart 1.1.8.1 which is a security release. The following security problems are eliminated from the TomatoCart:

1. Add the captcha code into the create account section to prevent the Bots registering as users.

2. Recreate the session as the store owner login to the admin panel to prevent the session fixation attack.
-- Please ensure the 'Regenerate Session ID' configuration is set as True under Admin->Modules->Services->Session.
--Session fixation is a method that tricks a victim into using a session identifier chosen by the attacker. If successful, it represents the simplest method with which a valid session identifier can be obtained. The following image shows a typical session fixation attack:



3. Pass the correct session id to the admin system when the cookie is diabled or works incorrectly to prevent the issue that the administrator can't login into the admin panel.

4. Block access to the ext, includes and images directories in the store front. For example, if accessing your store via www.youdomain.com/includes, a blank page will be returned to prevent from exposing your files structure on your web server.

5. Prevent the file inclusion vulnerability in the json.php, pdf.php and callback.php. Otherwise, a creative attacker might can traverse the file system.

6. Filter the input data to prevent XSS Attacks.

7. In the store front, when the user login into the store, create an account or logged out, a new session will be recreated. The old session will be destroyed and removed from the database to prevent the session table crashed. This is the effective way to prevent the session fixation attack.
-- Please ensure the 'Regenerate Session ID' configuration is set as True under Admin->Modules->Services->Session.

8. Remove the ext/securimage/example_form.ajax.php to prevent the "processForm()" Cross-Site Scripting Vulnerability. And also remove the example_from.php, securimage_show_example.php, securimage_show_example.php2 bceause they are useless.

9. Remove the ext/securimage/securimage_play.php to prevent the authentication bypass. And remove the securimage_play.swf too because it is useless.

10. Prevent exposing the admin directory name in the addshoppers box module.

>Download 1.1.8.1 here

>Download the security patch for v1.1.8 users.

>Read the article - How to strongly enhance the security of TomatoCart 1.1.8?

Note: Once you update your 1.1.8 system with the security patch, please add one language definition for the create account section. You just need to go to Admin->Definitions->Languages->Edit Modules and then click the account node in the left tree panel. Finally click the Add Definition button to add the following language definition:

Definition Group: Account
Definition Key: field_create_account_captcha_check_error
Definition Value: ERROR: Please specify the correct verify code.


Many thanks for your report about security problems in TomatoCart.
jack.yin
Jack Yin
Team Member
Posts: 2701
graph
User Offline Click here to see the profile of this user
Gender: Male support@tomatocart.com
Last Edit: 2012/10/16 07:17 By jack.yin.
---------------------

Jack Yin

Please help us to spread TomatoCart and tell people that you love TomatoCart!

If you are satisfied with TomatoCart, please follow us at @  
Google+
If you find this thread is useful you can share it @  



To keep updating TomatoCart status in future, Like our Facebook, Google+, LinkedIn page or Follow us on Twitter.

.Facebook: www.facebook.com/pages/TomatoCart/241732152589007
.Google+: plus.google.com/109588253708268031594?prsrc=3
.Linkedin: www.linkedin.com/groups?home=&gid=31...8&trk=anet_ug_hm
.Twitter: twitter.com/tomatocart
The administrator has disabled public write access.
 
#22546
Re:TomatoCart 1.1.8.1 Security Release! 1 Year, 6 Months ago Karma: -1
Thank you for that release.
Will be released guide to upgrade from 1.1.8? If it's necessarily?
Or only applying the patch is enough.
yev.gavrikov
Senior Boarder
Posts: 58
graphgraph
User Offline Click here to see the profile of this user
Last Edit: 2012/10/14 17:18 By yev.gavrikov.
The administrator has disabled public write access.
 
#22558
Re:TomatoCart 1.1.8.1 Security Release! 1 Year, 6 Months ago Karma: 2
Thanks jack.yin for the new update! One question, is there a database change involved? Or can I use the new release with my old database?
Jay
uspshooter
Pillage first, then burn.
Moderator
Posts: 40
graphgraph
User Offline Click here to see the profile of this user
Gender: Male milehighfirearms@live.com Location: Colorado, USA Birthday: 10/12
The administrator has disabled public write access.
 
#22559
Re:TomatoCart 1.1.8.1 Security Release! 1 Year, 6 Months ago Karma: 58
HI yev.garikov,

The security patch is available.

>Download the security patch for v1.1.8 users.

Once you update your system, please add one language definition for the create account section. You just need to add the language definition under Admin->Definitions->Languages->Edit Modules and then click the account node in the left tree panel. Finally click the Add Definition button to add the following language definition:

Definition Group: Account
Definition Key: field_create_account_captcha_check_error
Definition Value: ERROR: Please specify the correct verify code.

We will continue to enhance the security of TomatoCart 1.1.x.
jack.yin
Jack Yin
Team Member
Posts: 2701
graph
User Offline Click here to see the profile of this user
Gender: Male support@tomatocart.com
---------------------

Jack Yin

Please help us to spread TomatoCart and tell people that you love TomatoCart!




To keep updating TomatoCart status in future, Like our Facebook, Google+, LinkedIn page or Follow us on Twitter.

.Facebook: www.facebook.com/pages/TomatoCart/241732152589007
.Google+: plus.google.com/109588253708268031594?prsrc=3
.Linkedin: www.linkedin.com/groups?home=&gid=31...8&trk=anet_ug_hm
.Twitter: twitter.com/tomatocart
The administrator has disabled public write access.
 
#22560
Re:TomatoCart 1.1.8.1 Security Release! 1 Year, 6 Months ago Karma: 58
Hi Jay,

There isn't any change in the database except one new language definition for create account section. Please see my reply to yev.gavrikov.

We will continue to enhance the security of TomatoCart 1.1.x.
jack.yin
Jack Yin
Team Member
Posts: 2701
graph
User Offline Click here to see the profile of this user
Gender: Male support@tomatocart.com
---------------------

Jack Yin

Please help us to spread TomatoCart and tell people that you love TomatoCart!




To keep updating TomatoCart status in future, Like our Facebook, Google+, LinkedIn page or Follow us on Twitter.

.Facebook: www.facebook.com/pages/TomatoCart/241732152589007
.Google+: plus.google.com/109588253708268031594?prsrc=3
.Linkedin: www.linkedin.com/groups?home=&gid=31...8&trk=anet_ug_hm
.Twitter: twitter.com/tomatocart
The administrator has disabled public write access.
 
#22561
Re:TomatoCart 1.1.8.1 Security Release! 1 Year, 6 Months ago Karma: 2
Thanks Jack!
uspshooter
Pillage first, then burn.
Moderator
Posts: 40
graphgraph
User Offline Click here to see the profile of this user
Gender: Male milehighfirearms@live.com Location: Colorado, USA Birthday: 10/12
The administrator has disabled public write access.
 
Go to top Page: 12345

Latest Blog Post

TomatoCart v1.1.7 to v1.1.8 Upgrade Guide!

The upgrade guide is a step-by-step tutorial to help users to upgrade TomatoCart v1.1.7 to v1.1.8. If you have not yet updated to v1.1.7, please review its upgrade guide before applying these changes. [...]

By TomatoCart | august 21, 2012

contact_us

info@tomatocart.com
partner@tomatocart.com
Facebook Google+ Linkedin Twitter

Newsletter Subscription

Fork us on GitHub