Knowledgebase
Home » Item #1013
CORE Security Technologies Advisory
Question
What does the advisory cover and what do I need to do?
Answer
The advisory covers CactuShop v6.0 and 6.1. CactuShop 5.x is NOT affected by this issue.
CactuShop is frequently tested by various third party security scans and audits. CORE identified two potential issues with CactuShop 6.1 in April 2010, and contacted us regarding these.
We quickly ruled out the first security vulnerability as a CactuShop flaw - it was due to a customer modification (CORE was testing a customer modified CactuShop, not original CactuShop code).
The second, an XSS vulnerability (cross-site-scripting) was confirmed, and we have issued a patch.
The patched file can be downloaded here:
http://www.cactushop.com/download/_invoice_asp_6155.zip
The latest v6.155 release of CactuShop includes this modified file too; registered users with valid tech support cover can download from the user area if they prefer.
This file is the same for CactuShop Pro and Standard, and should work with older v6 carts too.
The first vulnerability (due to a customer modification) highlights the importance of making sure that queries are modified with great care to avoid the introduction of SQL injection vulnerabilities. We have been alerted to several cases where stores have been breached due to SQL injection vulnerabilities introduced in modifications. The threat is real and should not be taken lightly.
As well as best practice in modifications, we strongly advise that general security measures are enacted by all users; use of the IP block on the back end, strong passwords, regular sweeps of machines used to access the back end or FTP (to ensure no keylogger or other malware is present).
We would like to thank CORE Security Technology for alerting us to the issue and working with us to confirm a solution.