During internal audit activities X-Cart have identified several moderate security vulnerabilities.

DESCRIPTION and IMPACT

In all X-Cart versions:

1. A malicious provider may ask the store administrator to use special symbols during creation of a provider account. In this case the provider can get access to the store files from the Files directory (or even outside of it).

2. If the installation script has not been removed from the X-Cart web-directory or closed to public access as it is recommended, there is a possibility of gaining the store installation auth code.

In versions 4.0.8-4.0.13:

3. An SQL injection is possible due to a vulnerability in Sales-n-Stats connector module.

These security issues make X-Cart potentially vulnerable to attackers who wish to make X-Cart-based store inoperable or gain access to the application back-end.

SOLUTION

To fix the security vulnerabilities, all X-Cart users should immediately install the security fix issued by Qualiteam.
Please, check your Helpdesk ‘File Area’ sections for the security patch for your X-Cart version. Installation instructions are included into the patch archive, file README.txt.

The security fix also adds an extra protection level against XSS attacks which will augment your store security.

As an additional security measure, you should remove or close to public access /install.php file after you have installed the software.

Please, refer to the “3.2.5 Security Checklist” chapter of the X-Cart manual for instructions.
Users are encouraged to contact Qualiteam tech support to receive help or if any problems are revealed during or after the patch application.

Should you require any assistance, please do not hesitate to contact Just X-Cart