osCommerce 2.3.2 to be released shortly

Posted on July 16, 2012 by Gary — 16 Comments ↓

Hearing on the grapevine that osCommerce 2.3.2 is to released shortly.

Changes from 2.3.1 to 2.3.2 (not scientifically exact, based on my looking at the files)

1. shopping_cart.php – Remove hardcoded language words
2. product_info.php – redirect to index page if no products_id is available
3. product_info.php – solve incorrect number of reviews bug
4. password_forgotten.php – new password reset functionality
5. login.php – new password reset functionality
6. index.php – cure manufacturers display bug
7. checkout_process.php – error check on $product_attributes
8. checkout_confirmation.php – error check on POST $comments
9. checkout_confirmation.php – error check on $confirmation
10. includes/version.php – update version
11. includes/filenames.php – add 1 page
12. includes/modules/new_products.php – count on $num_new_products
13. includes/functions/html_output.php – remove an unwanted character
14. includes/functions/general.php – solve malformed url problem
15. includes/functions/general.php – new password reset functionality
16. includes/classes/passwordhash.php – new password reset functionality
17. admin/reviews.php – fix a misspelling x 2
18. admin/mail.php – solve outgoing email issue
19. admin/define_language.php – use lngdir instead of $language
20. admin/categories.php – remove camelCase
21. admin/action_recorder.php – solve multiple instances of aID in URL
22. admin/includes/modules/dashboard/d_reviews.php – add ending href
23. admin/includes/modules/dashboard/d_orders.php – add ending href
24. admin/includes/modules/dashboard/d_customers.php – add ending href
25. admin/includes/functions/html_output.php – remove unwanted character
26. admin/includes/functions/general.php – solve malformed URL problem
27. admin/includes/functions/general.php – increase randomness
28. admin/includes/classes/passwordhash.php – increase randomness

Posted in Uncategorized

http://www.arlisa-bijoux.com Isa

Really? I look forward to that and I hope the upgrade won't be too hard to achieve for me…
http://www.thatsoftwareguy.com That Software Guy

Gary, do we have a list of known bugs in 2.3.1?
http://www.refreshcreations.co.uk/ Ryan Carson

Here's hoping there will be a few more fixes for any upcoming deleted PHP features.
http://www.oscommerce.com Harald Ponce de Leon

Here is the upgrade guide for v2.3.2:

http://forums.oscommerce.com/page/docs/_/oscom/23/release-notes-v2/oscommerce-online-merchant-v232-r12
http://bugdorm.megaview.com.tw/ Eddy

Hi Gary,

Is this new measure to prevent abuse of resetting account passwords really an improvement for shop security? I mean, it’ll be a royal PITA if someone who knows my email address keeps resetting the password for me, but it won’t really hurt anything. Or, am I missing something about the whole idea?

Cheers, Eddy
Steph

Security is always a good thing to work on, but is this one improvement really enough to call it 2.3.2?
I'd expect a whole bunch of improvements before launching a new version.

But it is nice to see that oscommerce is alive and improving.. slowly…
Gary

There have been lots of little bugs cured in this update. It is only an iteration of 2.3 series.

Eddy, you are correct, a possible password reset vulnerability.

The next 'true' version will be 2.4 I suspect.
Isa

Thanks to Harald for the link to the upgrade guide, but where are the new files downloadable from aside from Github? I mean there's no 2.3.2 package in the oscommerce site.

Who in this thread will perform the upgrade? I'm not sure if I will myself.
http://www.oscommerce.com Harald Ponce de Leon

v2.3.2 will be pushed out today. Here is an overview of the upcoming releases:

v2.3.2 – Customer Password Reset improvement + generation of random bytes improvement
v2.3.3 – Bug fixes
v2.4 – PHP 5.4 compatible release

Existing store owners do not have to upgrade to v2.4 – v2.3 will continue to have bug fixes backported from v2.4.x releases.
http://www.thatsoftwareguy.com Scott Wilson

Harald, would you please publish a list of the bugs fixed in 2.3.3?
Gary

Password Reset, see Stefan Esser's post

1. Use a Keep-Alive HTTP Request to search in the phpBB2 forum for the string 'a'
2. The search should return enough results so that multiple pages are returned which leaks the search_id
3. A simple table lookup is performed by the attacker to determine the random number seed
4. The attacker initializes his random number generator and throws away one random number. (the search_id)
5. The attacker then uses the still active Keep-Alive HTTP request to send an admin password reset request to the WordPress blog.
6. The blog uses mt_rand() to generate the activation link and sends it to the admin by email.
7. The attacker can calculate the activation link because his random number generator has the same state.
8. The exploit triggers the activation link (over the still active Keep-Alive Request) which results in the new admin password beeing sent to the admin.
9. Because the new password is generated by mt_rand() the attacker can also calculate it on his side.
10. After that the attacker knows the admin password of the WordPress blog and can take it over.

The new password functionality stops this type of attack.
Gary

2.3.2 is now officially released.
http://www.oscommerce.com/solutions/downloads

2.3.1 -> 2.3.2 files:
http://www.oscommerce.com/get/11
Bear in mind that if you are running a store that is not "out of the box", eg it has a template or addons, then you should not just overwrite your existing files with these. You need to merge the changed content into your own files. I may offer a "beer fee" service to clients wanting this done.

Full 2.3.2 download:
http://www.oscommerce.com/get/10

2.3.1 is now out of date, and you should use 2.3.2 for New Stores, or update your 2.3.1 with the new Password Reset functionality.
http://www.oscommerce.com Harald Ponce de Leon

A v2.3.3 branch has just been added to Github with the following commits (confirmed bug fixes):

https://github.com/osCommerce/oscommerce2/compare/upgrade233

This simple change fixes PHP 5.4 compatibility (still in testing):

https://github.com/haraldpdl/oscommerce2/commit/94da0113acbae6143ce218a6b33947ed3dea8baf

There are still more bug fixes coming in v2.3.3.
http://bugdorm.megaview.com.tw Eddy

Hi Gary,

1) Is there any reasons why the password-reset link is set to expire in 24 hours? Wouldn't it be even more secured if it was set to a much shorter time period e.g. 30 minutes?

2) If I want to set the expiration time to 30 minutes, do I simply change the code to:

strtotime($check_customer['password_reset_date'] . ' +30 minutes') <= time()

Thanks!
Xpajun

Forgive my very late comments on this but… On the subject of the new password reset – how damaging can it be for a customer account to be hacked, I mean in the vast majority of cases customers (certainly my customers) do not get anything without paying first, so no gain for the hackers there then – and surely the hacker would need to know the customers email address first…. or am I really missing something?

On top of which Gary, how does this change fit in with your remove create_account password hack?
oscbooks

Juls – it's a very very slight chance that a person with an account (not a hacker per se), could get the admin password. The update to 2.3.2 or 2.3.3 cures this. The remove password mod makes no difference.

Buy Gary A Beer?
Buying me a "beer" helps me to keep my contributions updated and keep this blog alive - and you get a link from my homepage to your site. Cheers!