CubeCart is a popular commercial PHP based ecommerce shopping cart solution.  CubeCart is currently supported by two Irish Payment Service Providers - WorldNet TPS and SagePay.

Acunetix, an company who specialise in application security, discovered a critical session management vulnerability when auditing the source code for version 4.3.4 of CubeCart. The vulnerability allows you to by-pass the session management for administrative users without providing any credentials. Once bypassed an attack can perform any actions the administrator can, such as dumping the database, installing modules and so on. You can find a detailed description of the vulnerability on the Acunetix blog including a proof of concept.

Acunetix informed CubeCart about this vulnerability of October 20th 2009. CubeCart released version 4.3.5 on October 26th 2009 which included a fix for this vulnerability. If you are using CubeCart to run your ecommerce site then you should update to the latest version immediately. One would also expect that this is the advice that CubeCart would give their customers but this is not the case.

Here are the release notes that CubeCart have provided with version 4.3.5 of CubeCart -

CubeCart 4.3.5 has been released today which is available to download from the "Dashboard" area of your customers control panel. PayPal Website Payment Pro customers on CubeCart 4.3.4 must upgrade to use 3D Secure.

Whats new?
URL's Changed in WorldPay module to match "RBS Worldpay" branding
PayPal 3D Secure Fix & Enhancements *
Moneybookers Payment Notification Fix
Database Class Optimization
Misc bugs...

There is no mention of the fix for the critical vulnerability that allows an attacker to easily get administrative access to the system. The majority of CubeCart powered sites will be on the Internet and will be indexed by the major search engines. As a result of this an attacker could easily construct a search query to find sites running old versions of CubeCart.

The fact that CubeCart did not highlight the fix in their release notes is a very irresponsible move. It shows a serious lack of professionalism when an organisation fixes a critical vulnerability in their product but neglect to inform their customers. As a result of this most people running CubeCart are not going to be aware of this vulnerability or the fact that it has been fixed in the latest release. If you or any of your clients run CubeCart then you should upgrade immediately to version 4.3.5.

Dave

--

If you liked this article then you can:

• Subscribe to our Blog RSS feed
• Become a fan of webpayments.ie on Facebook
• Follow us on Twitter

Related Blog Posts:

• PCI Compliance is not a big deal?
• Details of the Twitter attack revealed
• Exploiting a back-office application with CSRF

Earlier this week SagePay experienced a serious outage that spanned more than 22 hours. This outage has been getting a lot of attention on the Internet in particular on the UK business forums and also on Twitter. This is understandable as SagePay have over 25,000 customers in the UK and Ireland so when these merchants are unable to process payment transactions they are going to make some noise.

The outage started on Monday at 7:48pm and prevented payments from being processed for 2 hours and 22 minutes. It was 22 hours later before normal service was resumed. During the outage merchants were unable to view historical transaction data. This meant that merchants were unable to review previous transactions, void transactions, process recurring transactions or carry out refunds.

SagePay have published a message from their MD Simon Black explaining what happened and the steps that they had to take to restore the service. One of the unique selling points with SagePay Go is "Extremely Reliable".

SagePay run twin data centers and have a third site for disaster recovery. The root of the problem this week was a hardware failure. The failure caused their database to get corrupted. As a result of this corrupted database they were unable to switch data centers.

This is not the first time that SagePay have experienced serious outages. Their outages in 2007 and 2008 were very highly publicised. Outages will always occur, no one is going to be able to maintain 100% up-time. It is the frequency at which these outages occur and the manner in which the outage is handled that will cause merchants to go looking for alternative providers.

Outages like this often push competitors to offer their services as replacements. During this outage Iridium have made an offer to SagePay clients offering then free fees for the duration of the contract. For example if a vendor had 3 months left on the contact with Sagepay, Iridium is offering to forgo 3 months of fees. According to an article on the register Iridium say that they have picked up 189 new merchants as a result of the SagePay outage.

If your business requires 100% up-time for your payment processing then the best option is to work with more than one payment provider. That way if one provider has downtime you can direct your payments to the other provider thus reducing any downtime on your site. Obviously there is a cost associated with this approach but depending on the nature of your business this additional cost might be justified to mitigate the risk of payment downtime. Another solution is to use PayPal as your alternative payment option as there are no on-going costs or fees with PayPal. Their fees may be more expensive than your payment service provider but you will only pay when you process a transaction. So while you are processing payments with your payment provider PayPal will not cost you anything but if your payment provider has an outage you can switch to PayPal and only pay if you make a sale.

Dave

--

If you liked this article then you can:

• Subscribe to our Blog RSS feed
• Become a fan of webpayments.ie on Facebook
• Follow us on Twitter

Related Blog Posts:

• UK Payments Service Provider to enter Irish Market
• Irish Payment Provider Profiles and Comparison