Important Cartweaver 3 PHP Digital Download plug in update.

Lawrence .. Team Cartweaver

Important Cartweaver 3 PHP Digital Download plug in update.

in Cartweaver PHP • 1 year ago

We have uploaded an update to the Cartweaver 3 PHP digital Download plug in. This update corrects a possible security vulnerability that was found, We recommend that anyone using the plug in download this update. To update any current installations take a look at the update notes text file included in the download and replace the indicated file.

If you have any questions let me know.

Lawrence Cramer
Cartweaver.com
Stay updated - Like, Follow, and Bookmark Cartweaver!
http://www.twitter.com/Cartweaver
http://www.facebook.com/Cartweaver
http://blog.cartweaver.com

Replies(10)

runflacru..

Re: Important Cartweaver 3 PHP Digital Download plug in update.

10 months ago

HI.
I clicked to download the update but it appears to be the same as my old file. All files inside even have the same dates as my old file. I also cannot find an update notes text file.
Please let me know because I had a security issue today.
Thanks,
~John

oli.cartw.. Team Cartweaver

Re: Important Cartweaver 3 PHP Digital Download plug in update.

10 months ago

Hi John,

CHeck to see if the download.php has this:
o.order_CustomerID = '%s'
AND s.SKU_ID = '%s'
AND ( o.order_Status = '2' OR o.order_Status = '3' ) ",$_SESSION["customerID"],$_

GET["skuid"]);

Oli
Cartweaver Support Team

runflacru..

Re: Important Cartweaver 3 PHP Digital Download plug in update.

10 months ago

Hi.
No. The file I downloaded yesterday has this:

WHERE
o.order_CustomerID = '%s'
AND s.SKU_ID = '%s'",$_SESSION["customerID"],$_GET["skuid"]);
$rsCWGetCustOrders = $cartweaver->db->executeQuery($query_rsCWGetCustOrders, "rsCWGetCustOrders");
$rsCWGetCustOrders_recordCount = $cartweaver->db->recordCount;
$row_rsCWGetCustOrders = $cartweaver->db->db_fetch_assoc($rsCWGetCustOrders);

~John

oli.cartw.. Team Cartweaver

Re: Important Cartweaver 3 PHP Digital Download plug in update.

10 months ago

Hi,
Please, replace the WHERE clause with the code above.

Oli
Cartweaver Support Team

runflacru..

Re: Important Cartweaver 3 PHP Digital Download plug in update.

10 months ago

Hi.
Thanks.
And, Here's the result from the malware scan by my hosting company.

-------------------------
{HEX}php.cmdshell.r57.302 : /....../cw3/assets/product_thumb/zonea.php.%00jpg => /usr/local/maldetect/quarantine/zonea.php.%00jpg.27577
-------------------------

Seems a file made it to the thumb dir.
~John

oli.cartw.. Team Cartweaver

Re: Important Cartweaver 3 PHP Digital Download plug in update.

10 months ago

Hi John,
The big questions is HOW it got there .

Possible causes ( This is just a list of ideas.. I cant say what i'; your case)

a) querystring parameter not being properly cleaned up. ( CW's code always cleans up it's input. If you added any code of your own you should also check for that. If you find out the point of entry you will have an easier time pinpointing how to fix this).
b) FTP Credentials being compromised ( I recommend always changing FTP passwords if you discover any sort of issue)
c) Malware on your machine causing unwanted stuff to piggyback on your form actions when visiting websites.

Oli
Cartweaver Support Team

runflacru..