Post by jrr » Fri Dec 24, 2021 9:57 am

I ask because I have some troubles with new extensions, they keep bumping into small issues on 3.0.3.6 that may have been cleaned up by the time you get to 3.0.3.8. Or does (for example) the Clear Thinking (or others) upgrades for 3.X take one to essentially the latest version of OC so why bother with upgrading for now?
Github isn't that clear on how bugs are dealt with (resolved, see next comment), and the extensions marketplace would stand to have an area called "Fixes" or ?? for folks who take the trouble to make paid or free upgrades - but that aren't that easy to find, especially if you don't know if you need it or not... I guess I just have to study Github more to see how the bugs are identified, and dealt with...it is tiresome though!
One thing I just noticed was a warning about "https://www.exploit-db.com/exploits/50555" Sessjion Injection for 3.0.3.8 - which is a point to consider against upgrades if there are new bugs even if the revision cleaned up some old ones.

John :-#)#

PS, and of course the Notify me when a reply is posted isn't fixed - why doesn't OC simply REMOVE that option if they aren't going to repair the !@#!$!#@ thing!

Happy Ho-Hos none the less!
Last edited by jrr on Fri Dec 24, 2021 10:06 pm, edited 1 time in total.

jrr
Active Member

Posts

Joined
Mon Nov 20, 2017 1:48 pm

Post by ADD Creative » Fri Dec 24, 2021 6:12 pm

That exploit applies to all 3.x versions.

You can see the changes between versions here.
https://github.com/opencart/opencart/co ... ...3.0.3.7
https://github.com/opencart/opencart/co ... ...3.0.3.8

Some worthwhile fixes, including minor security related ones. However, there have been some new bugs introduced.

www.add-creative.co.uk


Guru Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by jrr » Fri Dec 24, 2021 10:05 pm

ADD Creative wrote:
Fri Dec 24, 2021 6:12 pm
That exploit applies to all 3.x versions.

You can see the changes between versions here.
https://github.com/opencart/opencart/co ... ...3.0.3.7
https://github.com/opencart/opencart/co ... ...3.0.3.8

Some worthwhile fixes, including minor security related ones. However, there have been some new bugs introduced.
Thanks, that is a useful link. I changed the compare to 3.0.3.6 to 3.0.3.8 and this gives me a pretty good idea of what changes matter - what may be covered by extensions I already have for 3.0.3.6 and weather or not I should upgrade and learn the new bugs, or just make sure the known ones are accounted for in any changes I make.
Still learning how Github does things - for a "Commit" (lets say "Fix duplicate entries not being removed" does the 'verified' button beside that mean this has been resolved in the next (.0.7 or .0.8) revision?

jrr
Active Member

Posts

Joined
Mon Nov 20, 2017 1:48 pm

Post by Daniel » Sat Dec 25, 2021 12:54 am

What exactly is the issue? how can this give access to some ones data or exactly compromise the system????

As far as i can see this is some delusional clown.

OpenCart®
Project Owner & Developer.


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by mikeinterserv » Sat Dec 25, 2021 1:42 am

Daniel wrote:
Sat Dec 25, 2021 12:54 am
What exactly is the issue? how can this give access to some ones data or exactly compromise the system????

As far as i can see this is some delusional clown.
Correct.
THAT is the pandemic in reality - the whole world are becoming delusional clowns, or worse.

Active Member

Posts

Joined
Thu May 28, 2020 6:55 am
Location - Wales

Post by Daniel » Sat Dec 25, 2021 3:00 am

i think most of this lock down stuff is to bankrupt companies and people so the banks can come in and clear up. this sort of stuff is already going on in the UK where fake warrants from fake courts are used to throw people out of there houses so they can be sold at auction. the money is they transferred out off shore bank accounts. call the police, the police help the fake bailiff's. unfortunately these sort of scams include children being sent off to care homes and local councils being paid millions to look after them. a lot of pedo police and judges involved. the UK is really lawless. look at corruption in north Hampshire police and barnet council. main stream media never reports.

OpenCart®
Project Owner & Developer.


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by mikeinterserv » Sat Dec 25, 2021 4:07 am

You are not wrong
I will also say this.
If you have honesty, integrity and sense as your base, living in this world is becoming nothing short of impossible.

Active Member

Posts

Joined
Thu May 28, 2020 6:55 am
Location - Wales

Post by jrr » Fri Dec 31, 2021 10:03 am

Daniel wrote:
Sat Dec 25, 2021 12:54 am
What exactly is the issue? how can this give access to some ones data or exactly compromise the system????

As far as i can see this is some delusional clown.
I hope you are referring to the creator of the website whose link I provided about the so-called "Sessjion Injection" because I was simply asking a question about it...

The claim is:
Session cookie "OCSESSID" is inproperly processed
Attacker can set any value cookie and server set this value
Becouse of that sesssion injection and session fixation vulnerability
Spelling errors and it hasn't been confirmed by that site's review process - so it certainly can be a false claim. Sorry I raised it!

I appreciate OC and the developers who move it forward, I try to understand how it works as I use it for my little online store. I also prefer to buy extensions through the OC system to help pay for the free code and support.

jrr
Active Member

Posts

Joined
Mon Nov 20, 2017 1:48 pm

Post by jrr » Mon Jan 03, 2022 8:20 am

Moving back on topic...

I've now installed the upgrade 3.0.3.8 in a test directory https://www.opencart.com/index.php?rout ... load_id=62 - this is a great "FREE!" test tool - it mirrors your setup so you can play with extensions. settings, etc., but if you break it it won't take down your real store! You just delete the test site and run it again. Faster than doing a localhost installationa and as it works on your live server it catches anything you would see on the live store.
Next, after uploading all the changes, I ran the /catalog/install/install and then where it says to Upgrade, I chose Continue but I get this error message after about ten seconds :
Error Code(0): Error: Column 'description' cannot be part of FULLTEXT index
Error No: 1283
ALTER TABLE `test_site_product_description` CHANGE `name` `name` VARCHAR(255) NOT NULL AFTER `language_id` in /usr/www/users.../testsite/system/library/db/mysqli.php on line 48
Perhaps it is related to " All columns of a FULLTEXT index must have not only the same character set but also the same collation."? I thought all my fields were the same:
DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
`license_key` varchar(64) COLLATE utf8mb4_unicode_ci NOT NULL,
`code` varchar(32) COLLATE utf8mb4_unicode_ci NOT NULL,
`support_expiry` date DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
Found this suggestion as a possible cause here: https://stackoverflow.com/questions/653 ... text-index

jrr
Active Member

Posts

Joined
Mon Nov 20, 2017 1:48 pm

Post by ADD Creative » Tue Jan 04, 2022 3:01 am

It a MySQL restriction that all columns in a FULLTEXT index must use the same character set and collation.
https://dev.mysql.com/doc/refman/8.0/en ... tions.html

What columns do you have that use FULLTEXT? They are probably added by extensions or leftover from older versions.

jrr wrote:
Fri Dec 31, 2021 10:03 am
The claim is:
Session cookie "OCSESSID" is inproperly processed
Attacker can set any value cookie and server set this value
Becouse of that sesssion injection and session fixation vulnerability
Spelling errors and it hasn't been confirmed by that site's review process - so it certainly can be a false claim. Sorry I raised it!
It's not a false claim as such and it's been mentioned before. You would just need another vulnerability to use in combination with, in order to achieve anything.

www.add-creative.co.uk


Guru Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by jrr » Tue Jan 04, 2022 9:36 am

ADD Creative wrote:
Tue Jan 04, 2022 3:01 am
It a MySQL restriction that all columns in a FULLTEXT index must use the same character set and collation.
https://dev.mysql.com/doc/refman/8.0/en ... tions.html

What columns do you have that use FULLTEXT? They are probably added by extensions or leftover from older versions.
Yeah, I'm thinking that too. I am probably just going to rebuild my site starting with 3.0.3.8 and reinstall my working extensions and edits. I think I had a bad extension or two that broke things a while ago and even though the site is working, it has background problems that are just getting more and more tangled up.

jrr
Active Member

Posts

Joined
Mon Nov 20, 2017 1:48 pm
Who is online

Users browsing this forum: No registered users and 24 guests