Critical Security Patch (v4 Only) - August 24, 2015

Last Updated: Aug 24, 2015 10:12PM EDT
This article applies to all v4 stores. This patch must be applied in addition to the August 20, 2015 security patch, which applies to both v4 and v5 stores. Learn More.

Contents

Installing Security Patch 20150824

About the vulnerability

Addressing the vulnerability

Consequences of a breach

Likelihood of a breach

Identifying a breach

Securing your store


Installing Security Patch 20150824

Before you do anything else, regardless of whether your store appears to have been breached, and even if you have already installed security patch 20150820. Please install this patch by uploading the ProductCart files that have been made available to you via the "Check for Updates" page in your control panel. A support and updates plan is not required to download this patch and files are available for v4.1. All v4.0 and earlier stores are deprecated and should upgrade immediately.

  1. Download the patch via "Help > Check for Updates" link in your control panel.
  2. Upload the files to your store as described here.
  3. Come back to this document and read the rest of it: it is very important that you do so.

About the vulnerability

This vulnerability is a type of "Information Disclosure", which allows a hacker to view and exploit information contained within the control panel logs.  The information may be used to gain access to the store's control panel. Due to the sensitive nature of the vulnerability, at this time we can't outline the exact steps used to exploit the vulnerability, as it could be used as a blue print for other hackers.  That said, we will cover “Addressing the vulnerability”, “Identifying a breach”, and “Consequences of a breach” later in this article.

Addressing the vulnerability

After releasing a comprehensive security patch for all versions of ProductCart on August 20th, our development team has continued to perform forensics on the recent attacks performed by hackers. We are dedicated to making ProductCart the most secure ecommerce platform available and will continue to research and investigate the techniques used to by these hackers. At this time there are no other outstanding security vulnerabilities, but if anything is discovered our team will move quickly to address it.

The "Information Disclosure" vulnerability was discovered the morning of August 24, 2015.  Our development team created a patch and released it within 14 hours of its discovery.  This patch addresses the "Information Disclosure" vulnerability by restricting access to specific files and by upgrading the login system in v4 to be more comparable to the login system used in v5.  Note that a newer, modernized password login system will be released in the near future for v5.1.00.  It is strongly recommended that all v4 stores upgrade so they can take advantage of the latest developments.

Although our tests indicate that the files updated within this patch will prevent future breaches, they will not stop an existing breach from being exploited. For this reason, it is imperative that you read the rest of this document and follow the instructions included in it.

Consequences of a breach

If the attack is successful the hacker would have access to a store’s ProductCart Control Panel. 

With regard to a ProductCart-powered store, a hacker may be able to:

  • Download customer information. (e.g. emails and passwords)
  • Capture credit card information at the time an order is submitted, if the credit card information is entered on a form hosted by the store.

Likelihood of a breach

Unfortunately there is no way to fully rule out the possibility of a breach due to the many factors involved. We’ve responded as fast as possible so the likelihood of a breach is substantially reduced the sooner you install the patch.

Here are some considerations that will help determine the likelihood of a breach:
  • If your store is already upgraded to v5, then the likelihood of a breach is drastically reduced.  The v5 software is not susceptible to this attack.  Moreover, the v5 upgrade process involved performing the install in a new folder.  That means the v4 log files would not have been transferred to the v5 store. That also means that if the v4 store was breached the malicious files would not have transferred to the v5 store.
  • Anyone that has installed the August 20, 2015 patch and renamed their control panel directory (per the instruction in the "Securing your Store" section) would be at lesser risk. (i.e. This vulnerability is dependent on the hacker knowing the location of the control panel.)  With the August 20, 2015 patch installed there is no known way to determine the location of the control panel.
  • This vulnerability has existed for over 5 years, but there is no evidence it was exploited until very recently.  Moreover, the issue does not exist in v5 due to changes in the login system. The likelihood of a breach is substantially reduced the sooner you install the patch and / or upgrade to v5.

Identifying a breach

Unfortunately there is no automated way to detect whether a malicious file has been uploaded to your store. This is typically a “silent hack” (i.e. the hacker is interested in remaining stealth in order to capture sensitive information over time, such as credit card numbers), so you might have not noticed anything different in the running of your store.

Securing a Store

If you already installed the latest August 20, 2015 security patch, then it is unlikely your store was breached. However, we strongly recommend repeating all of the steps following the "Identifying a Breach" section of the August security patch located here. It is also recommended that you review the part about "Securing your Store", specifically the part about renaming your control panel folder. This vulnerability is dependent on the hacker knowing the name of your control panel folder.


In addition to everything explained in the August 20, 2015 article you should do the following:
  • Clear your Control Panel Logs: 
    This is very important! 
    Even after patching the store the hacker could still use the old log files.  If you installed the August 20, 2015 patch and changed the name of the control panel folder, then the hacker may not be able to find the old logs.  However, if they did find the log files they could be exploited.  So please clear your logs by navigating to "Reports > View Control Panel Logs" and clicking the "Remove All Logs" button.
     
  • Change the passwords of all control panel users:
    This is very important!  If you do not change the control panel user password then any hacker that already obtained them from a previous exploit may be able to reuse them again. click here
     
  • Rename your control panel directory:
    This important step was covered in other security patches, but is worth mentioning again here. This will ensure the hacker does not already have the name of your control panel from before you installed the patches. Learn More.

Menu

  • Support Forums
  • Video Tutorials
  • Support Request
  • Support Policy
647e99095133bd6d1ae916f97dc7f92f@productcart.desk-mail.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete