Kryptronic Software Support Forum

You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.

#1 01-24-2006 13:06:16

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19722
Website

Ccp Update (all) - Cgi Wrapper - 01/24/2006

THIS IS A RECOMMENDED - NON-CRITICAL UPDATE

On 01/24/2006, an update to for all versions of ClickCartPro 5.x was released. Please read the following post if you have an active ClickCartPro 5.0 or 5.1:

For users who purchased ClickCartPro 5.1 (tiki) licenses after 01/24/2006 @ 1:00 PM ET, the software installation file you downloaded has been fully updated with the most recent codebase. If you receive a message about the update, you can discard it.

For users who purchased ClickCartPro 5.x licenses prior to 01/24/2006 @ 1:00 PM ET, you will need to apply the update to your installation. The update will be delivered in the form of an update package (download file with new code and instructions) on 01/24/2006 via email.

Please allow several hours from the time of this post to recieve the update email. If you do not receive the update email by the close of business on 01/25/2006, please contact support@kryptronic.com for a copy of the update message.

Items included in the update are detailed in the quote from the update package README below.



This update contains modifications to the ClickCartPro codebase.  These
new codebase modifications create a wrapper for public CGI requests and
strips characters from incoming formdata for those public CGI requests.

The use of this wrapper prevents user submitted formdata containing
HTML characters from being printed literally within the display routines.
ClickCartPro has begun to fail tests performed by site scanning bots
because of a positive return on cross-site-scripting tests.

To ensure these tests are passed by your site in the future and to
avoid security warnings from your hosting provider, we recommend you
apply this update.

It is recommended if you install the update to remove the characters:
" ' ( ) < > # & from any non-element database entries you have
created.  Non-element database entries include items such as product
names, product numbers, option names, category names, etc.

Please Note: Un-updated ClickCartPro installations are not vulnerable
to cross-site-scripting attacks.  However, CCP will issue a false
positive when being tested under an automated system.  For this reason,
Kryptronic recommends updating your installation.

Kryptronic is not aware of any extensions (applications and modules) for ClickCartPro provided by certified support partners that are affected by the update.


Nick Hendler

Offline

 

#2 01-24-2006 15:54:40

Big Dave
Member
Registered: 10-24-2003
Posts: 742

Re: Ccp Update (all) - Cgi Wrapper - 01/24/2006

Theres a problem with the update Nick:

Offline

 

#3 01-25-2006 09:26:50

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19722
Website

Re: Ccp Update (all) - Cgi Wrapper - 01/24/2006

We have identified an issue with the update that was posted yesterday and have corrected this issue.  Under certain browser configurations the ASCII equivalent replacement of the = and ? characters on the front-end caused encrypted data to be read incorrectly by the program.  We have tested a fix for this:

Edit the routine 'format' in the file ./cgi-bin/library/modules_lib/CGIcustom/CGIwrap.pm and located the following two lines:

Code:


$return =~ s/\=/\&\#061\;/gs;
$return =~ s/\?/\&\#063\;/gs;

Remove those lines and the issue will be resolved.  We have posted new copies of the update and CCP full version with the update installed in our download area.  Anyone who has applied this update should either make the change above manually or download a new update file using the same download instructions provided yesterday and upload the CGIwrap.pm from it.


Nick Hendler

Offline

 

#4 01-25-2006 11:09:46

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19722
Website

Re: Ccp Update (all) - Cgi Wrapper - 01/24/2006

A new broadcast message is running currently to alert all users who installed the update thus far to download a new copy and install that instead.  Here is a partial update message:



- IMPORTANT SOFTWARE UPDATE INFORMATION
- PLEASE READ THIS ENTIRE MESSAGE

Hello.  You are receiving this message because you have a ClickCartPro
version 5.0 or 5.1 license active currently. Yesterday we released
an update for all 5.0 and 5.1 licenses.

This update contains modifications to the ClickCartPro codebase.  These
new codebase modifications create a wrapper for public CGI requests and
strips characters from incoming formdata for public CGI requests.

- THIS MESSAGE IS INTENDED FOR ANY USERS WHO HAVE ALREADY INSTALLED
- THE UPDATE - A NEW VERSION OF THE UPDATE FILE IS AVAILABLE.

- IF YOU HAVE NOT INSTALLED THE UPDATE YET, REFER TO THE INSTRUCTIONS
- IN THE ORIGINAL UPDATE MESSAGE.  THE UPDATE FILE AVAILABLE FOR
- DOWNLOAD HAS BEEN CORRECTED.

A flaw in the update code was discovered where under certain browser
configurations the ASCII equivalent replacement of the = and ?
characters on the front-end caused encrypted data to be read
incorrectly by the program.

This flaw was reported on the forum here:



And corrected immediately.  The file modified to provide the fix is:

/cgi-bin/library/modules_lib/CGIcustom/CGIwrap.pm

-- DOWNLOAD INFO IN MAIL MESSAGE --

Kryptronic recommends either updating your CGIwrap.pm by following
the manual instructions on the forum, or by downloading a new copy
from our server and replacing the one you have installed currently.

Again, this applies only to users who have installed the update that
was released yesterday.  Thank you for your continued support and
have a great day.


Nick Hendler

Offline

 

#5 01-25-2006 17:17:34

rachaelseven
Member
From: Massachusetts, USA
Registered: 01-23-2006
Posts: 3169
Website

Re: Ccp Update (all) - Cgi Wrapper - 01/24/2006

There seems to be another bug with the update.  Please see recent additions to .

Thanks,
Rachael


Rachael Katz
- Custom Focusing Screens for DSLR Cameras

Offline

 

#6 01-26-2006 09:05:11

Thom
Member
From: Fairmont, Minnesota
Registered: 01-17-2003
Posts: 182
Website

Re: Ccp Update (all) - Cgi Wrapper - 01/24/2006

I have done both up dates and I am getting ASCii code in my order confirmations and email sent through the cart.

Is there a fix?

Thom


Thom-

"Life is a banquet, and most poor suckers are starving to death!" - AUNTIE MAME

Offline

 

#7 01-26-2006 09:09:34

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19722
Website

Re: Ccp Update (all) - Cgi Wrapper - 01/24/2006

Concerning the newly posted issue about the update here:



HTML characters are filtered out of form input by desgin on this new update.  This goes all the way down to the mail elements as well for security purposes (so arbitrary HTML commands will not be run while reading messages in HTML readers).

I just finished a little more research and determined that most users are using plain text mail readers so the mail output needs to be reformatted turning the HTML entities encoded back into their HTML character equivalents. 

This is done in the ./cgi-bin/library/common/display.pl file in the following places:

In the routine 'display_print_array' the line:

Code:


$mail_display .= "$display_line";

Appears twice and should be changed in both instances to:

Code:


$display_line =~ s/\&\#034\;/\"/gs;
$display_line =~ s/\&\#039\;/\'/gs;
$display_line =~ s/\&\#040\;/\(/gs;
$display_line =~ s/\&\#041\;/\)/gs;
$display_line =~ s/\&\#060\;/\</gs;
$display_line =~ s/\&\#062\;/\>/gs;

$display_line =~ s/\&\#035\;/\#/gs;
$display_line =~ s/\&\#038\;/\&/gs;

$mail_display .= "$display_line";

And in the routine 'display_print_line' the line:

Code:


$mail_display .= "$display_prefix";

Which appears once, should be changed to:

Code:


$display_prefix =~ s/\&\#034\;/\"/gs;
$display_prefix =~ s/\&\#039\;/\'/gs;
$display_prefix =~ s/\&\#040\;/\(/gs;
$display_prefix =~ s/\&\#041\;/\)/gs;
$display_prefix =~ s/\&\#060\;/\</gs;
$display_prefix =~ s/\&\#062\;/\>/gs;

$display_prefix =~ s/\&\#035\;/\#/gs;
$display_prefix =~ s/\&\#038\;/\&/gs;

$mail_display .= "$display_prefix";

This change is intended for users who do not use HTML mail readers.  As this is most of you, I will be including a new display.pl file in the update.  Stay tuned for another post in this thread stating another version of the update is ready.


Nick Hendler

Offline

 

#8 01-26-2006 09:27:40

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19722
Website

Re: Ccp Update (all) - Cgi Wrapper - 01/24/2006

A new update package is ready to download per the instructions you received earlier this week.  This new (3rd version) of the update filters plain text mail messages and does character replacements on those messages to avoid HTML character entities showing up in plain text mail.


Nick Hendler

Offline

 

#9 01-26-2006 10:40:22

rachaelseven
Member
From: Massachusetts, USA
Registered: 01-23-2006
Posts: 3169
Website

Re: Ccp Update (all) - Cgi Wrapper - 01/24/2006

Thanks, Nick.  All seems solved, except for the # character, which is still coming through as its ascii code (035).  Did I apply the fix wrong or does this character need some different special treatment?

Thanks,
Rachael


Rachael Katz
- Custom Focusing Screens for DSLR Cameras

Offline

 

#10 01-27-2006 00:16:15

Jerry
Member
From: Michigan
Registered: 09-22-2003
Posts: 102
Website

Re: Ccp Update (all) - Cgi Wrapper - 01/24/2006

  sad

Now I'm completely confused about this cgi-wrap update.  Which version of the updated update do I now have, and what else do I have to do?  I have no idea if the update I have installed is the correct one or if it's going to give me problems.

Offline

 

#11 01-27-2006 10:29:55

Big Dave
Member
Registered: 10-24-2003
Posts: 742

Re: Ccp Update (all) - Cgi Wrapper - 01/24/2006

I removed all changes until a stable full update is released. Nick is very busy, but I know he will have this corrected as quickly as possible. 

Offline

 

#12 01-28-2006 14:05:06

Blitzen
Member
From: USA
Registered: 01-01-2005
Posts: 935

Re: Ccp Update (all) - Cgi Wrapper - 01/24/2006

We applied the 1/27/6 update and there is a problem.

For the website, HTML code is used in the optionprod_name field. This is displayed okay on the product page.

However, in the cart, unacceptable stripping of the html code shows up.

The first item in the cart is when the recent patch was applied. There are two corrupted options.
(1) "Optional Writing for the Back of Your Cap"
(2) "Select Number of Combat Stars for Airborne Wings (Only) here".

The second item in the cart is how it should look.

Per Big Dave, we removed the patch until a stable version is released.

Offline

 

#13 01-30-2006 08:23:37

rachaelseven
Member
From: Massachusetts, USA
Registered: 01-23-2006
Posts: 3169
Website

Re: Ccp Update (all) - Cgi Wrapper - 01/24/2006

Nick,

I hate to be a nag, but any word on a final fix for this issue?  The patch broke several different things for me (options names and shipping methods displays), so I've also removed it until a complete solution is available.  Should we just disregard this update altogether or is there a real security problem here we need to worry about?

Thanks,
Rachael


Rachael Katz
- Custom Focusing Screens for DSLR Cameras

Offline

 

#14 01-31-2006 10:59:11

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19722
Website

Re: Ccp Update (all) - Cgi Wrapper - 01/24/2006

### UPDATE INFORMATION

This is a non-critical but recommended update for CCP installations.  This update contains code that serves as a wrapper around user submitted form input to ensure CCP will pass cross-site-scripting tests performed by automated software test scripts.

Base 5.0 and 5.1 installations (installs without this update applied) are not vulnerable to cross-site-scripting attacks because of the way the programs handle database input and storage of session data. 

If you need to pass cross-site-scripting tests run by audit software you subscribe to, the udpate is recommended.  It is also recommended that you refrain from using the following characters:

" ' ( ) < > # &

When creating new database entries using the administrator.  Those characters will work fine in elements, but will be converted to their ASCII equivalents on the front-end displays when submitted as form data.

### SUMMARY

To reiterate, this is a non-critical update recommended for CCP installations.  The update is not required and it's sole purpose is to aid in passing cross-site-scripting tests.  It is recommended if you install the update to remove the characters:  " ' ( ) < > # & from any non-element database entries you have created.

We will be updating the update file and base CCP install today in order to provide this information to the community.  This information will be included in the README for the update and the update will be renamed and reclassified.


Nick Hendler

Offline

 

#15 05-14-2007 14:46:30

csherwood123
Member
Registered: 10-22-2002
Posts: 235

Re: Ccp Update (all) - Cgi Wrapper - 01/24/2006

Has anyone, Nick or otherwise, ever gotten a fix in place for the cross-site-scripting vunerability?

After watching this thread for months last year, we simply decided to ignore the problem as the "Patch" appeared to cause more problems than it was fixing.

However, most of our sites have Scan Alert installed. Until recently Scan Alert fllagged our sites as having a "Level 2" cross-site-scripting vunerability. At the begining of the year, Scan Alert raised this vunerbility to a "Level 3". While our older sites are "grandfathered" in as only recording the vunerability as a "Level 2", any new clickcart 5.x sites attempting to use Scan Alert will now fail the test, effectively resulting in the site becoming non compliant and the Scan Alert seal being revoked. This is the problem we're experiencing with a newly launched site.

I disussed this problem with Scan Alert this morning and even had them demo how this vunerability can be used by a Hacker. Yikes! This absolutely is a real problem that needs to be addressed!

Anbody come up with anything??

Offline

 

#16 06-27-2007 12:56:48

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19722
Website

Re: Ccp Update (all) - Cgi Wrapper - 01/24/2006

Kryptronic released ClickCartPro 6 in January 2007 which uses totally new code to combat cross-site-scripting.  That release is not vulnerable and can be upgraded to from ClickCartPro 5.1.


Nick Hendler

Offline

 

Board footer