I ask because I have some troubles with new extensions, they keep bumping into small issues on 3.0.3.6 that may have been cleaned up by the time you get to 3.0.3.8. Or does (for example) the Clear Thinking (or others) upgrades for 3.X take one to essentially the latest version of OC so why bother with upgrading for now?
Github isn't that clear on how bugs are dealt with (resolved, see next comment), and the extensions marketplace would stand to have an area called "Fixes" or ?? for folks who take the trouble to make paid or free upgrades - but that aren't that easy to find, especially if you don't know if you need it or not... I guess I just have to study Github more to see how the bugs are identified, and dealt with...it is tiresome though!
One thing I just noticed was a warning about "https://www.exploit-db.com/exploits/50555" Sessjion Injection for 3.0.3.8 - which is a point to consider against upgrades if there are new bugs even if the revision cleaned up some old ones.
John :-#)#
PS, and of course the Notify me when a reply is posted isn't fixed - why doesn't OC simply REMOVE that option if they aren't going to repair the !@#!$!#@ thing!
Happy Ho-Hos none the less!
Github isn't that clear on how bugs are dealt with (resolved, see next comment), and the extensions marketplace would stand to have an area called "Fixes" or ?? for folks who take the trouble to make paid or free upgrades - but that aren't that easy to find, especially if you don't know if you need it or not... I guess I just have to study Github more to see how the bugs are identified, and dealt with...it is tiresome though!
One thing I just noticed was a warning about "https://www.exploit-db.com/exploits/50555" Sessjion Injection for 3.0.3.8 - which is a point to consider against upgrades if there are new bugs even if the revision cleaned up some old ones.
John :-#)#
PS, and of course the Notify me when a reply is posted isn't fixed - why doesn't OC simply REMOVE that option if they aren't going to repair the !@#!$!#@ thing!
Happy Ho-Hos none the less!
Last edited by jrr on Fri Dec 24, 2021 10:06 pm, edited 1 time in total.
That exploit applies to all 3.x versions.
You can see the changes between versions here.
https://github.com/opencart/opencart/co ... ...3.0.3.7
https://github.com/opencart/opencart/co ... ...3.0.3.8
Some worthwhile fixes, including minor security related ones. However, there have been some new bugs introduced.
You can see the changes between versions here.
https://github.com/opencart/opencart/co ... ...3.0.3.7
https://github.com/opencart/opencart/co ... ...3.0.3.8
Some worthwhile fixes, including minor security related ones. However, there have been some new bugs introduced.
Thanks, that is a useful link. I changed the compare to 3.0.3.6 to 3.0.3.8 and this gives me a pretty good idea of what changes matter - what may be covered by extensions I already have for 3.0.3.6 and weather or not I should upgrade and learn the new bugs, or just make sure the known ones are accounted for in any changes I make.ADD Creative wrote: ↑Fri Dec 24, 2021 6:12 pmThat exploit applies to all 3.x versions.
You can see the changes between versions here.
https://github.com/opencart/opencart/co ... ...3.0.3.7
https://github.com/opencart/opencart/co ... ...3.0.3.8
Some worthwhile fixes, including minor security related ones. However, there have been some new bugs introduced.
Still learning how Github does things - for a "Commit" (lets say "Fix duplicate entries not being removed" does the 'verified' button beside that mean this has been resolved in the next (.0.7 or .0.8) revision?
i think most of this lock down stuff is to bankrupt companies and people so the banks can come in and clear up. this sort of stuff is already going on in the UK where fake warrants from fake courts are used to throw people out of there houses so they can be sold at auction. the money is they transferred out off shore bank accounts. call the police, the police help the fake bailiff's. unfortunately these sort of scams include children being sent off to care homes and local councils being paid millions to look after them. a lot of pedo police and judges involved. the UK is really lawless. look at corruption in north Hampshire police and barnet council. main stream media never reports.
OpenCart®
Project Owner & Developer.
You are not wrong
I will also say this.
If you have honesty, integrity and sense as your base, living in this world is becoming nothing short of impossible.
I will also say this.
If you have honesty, integrity and sense as your base, living in this world is becoming nothing short of impossible.
I hope you are referring to the creator of the website whose link I provided about the so-called "Sessjion Injection" because I was simply asking a question about it...
The claim is:
Spelling errors and it hasn't been confirmed by that site's review process - so it certainly can be a false claim. Sorry I raised it!Session cookie "OCSESSID" is inproperly processed
Attacker can set any value cookie and server set this value
Becouse of that sesssion injection and session fixation vulnerability
I appreciate OC and the developers who move it forward, I try to understand how it works as I use it for my little online store. I also prefer to buy extensions through the OC system to help pay for the free code and support.
Moving back on topic...
I've now installed the upgrade 3.0.3.8 in a test directory https://www.opencart.com/index.php?rout ... load_id=62 - this is a great "FREE!" test tool - it mirrors your setup so you can play with extensions. settings, etc., but if you break it it won't take down your real store! You just delete the test site and run it again. Faster than doing a localhost installationa and as it works on your live server it catches anything you would see on the live store.
Next, after uploading all the changes, I ran the /catalog/install/install and then where it says to Upgrade, I chose Continue but I get this error message after about ten seconds :
I've now installed the upgrade 3.0.3.8 in a test directory https://www.opencart.com/index.php?rout ... load_id=62 - this is a great "FREE!" test tool - it mirrors your setup so you can play with extensions. settings, etc., but if you break it it won't take down your real store! You just delete the test site and run it again. Faster than doing a localhost installationa and as it works on your live server it catches anything you would see on the live store.
Next, after uploading all the changes, I ran the /catalog/install/install and then where it says to Upgrade, I chose Continue but I get this error message after about ten seconds :
Perhaps it is related to " All columns of a FULLTEXT index must have not only the same character set but also the same collation."? I thought all my fields were the same:Error Code(0): Error: Column 'description' cannot be part of FULLTEXT index
Error No: 1283
ALTER TABLE `test_site_product_description` CHANGE `name` `name` VARCHAR(255) NOT NULL AFTER `language_id` in /usr/www/users.../testsite/system/library/db/mysqli.php on line 48
Found this suggestion as a possible cause here: https://stackoverflow.com/questions/653 ... text-indexDEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
`license_key` varchar(64) COLLATE utf8mb4_unicode_ci NOT NULL,
`code` varchar(32) COLLATE utf8mb4_unicode_ci NOT NULL,
`support_expiry` date DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
It a MySQL restriction that all columns in a FULLTEXT index must use the same character set and collation.
https://dev.mysql.com/doc/refman/8.0/en ... tions.html
What columns do you have that use FULLTEXT? They are probably added by extensions or leftover from older versions.
https://dev.mysql.com/doc/refman/8.0/en ... tions.html
What columns do you have that use FULLTEXT? They are probably added by extensions or leftover from older versions.
It's not a false claim as such and it's been mentioned before. You would just need another vulnerability to use in combination with, in order to achieve anything.jrr wrote: ↑Fri Dec 31, 2021 10:03 amThe claim is:Spelling errors and it hasn't been confirmed by that site's review process - so it certainly can be a false claim. Sorry I raised it!Session cookie "OCSESSID" is inproperly processed
Attacker can set any value cookie and server set this value
Becouse of that sesssion injection and session fixation vulnerability
Yeah, I'm thinking that too. I am probably just going to rebuild my site starting with 3.0.3.8 and reinstall my working extensions and edits. I think I had a bad extension or two that broke things a while ago and even though the site is working, it has background problems that are just getting more and more tangled up.ADD Creative wrote: ↑Tue Jan 04, 2022 3:01 amIt a MySQL restriction that all columns in a FULLTEXT index must use the same character set and collation.
https://dev.mysql.com/doc/refman/8.0/en ... tions.html
What columns do you have that use FULLTEXT? They are probably added by extensions or leftover from older versions.
Who is online
Users browsing this forum: No registered users and 24 guests