Response to SQL Injection security advisories

[Jamie]

Hi Everyone,

Someone reported a potential security issue on 03/29 to some major security sites. In turn, those sites feed many (many, many!) other security web sites via RSS feeds and mailing lists. This resulted in thousands of hits in Google to pages that are copies of this security advisory. You can view one of them here:
http://securityfocus.com/bid/12944

We were not notified by the person that found this problem and reported it to these security groups, or we would have acted sooner. A Squirrelcart forum member was nice enough to give us the heads up on this:
http://www.ldev.com/forums/showthread.php?t=1859

We will be issuing a fix for this later tonight. Please check back here for more updates.

[Jamie]

This issue has now been resolved in the new v1.6.0 release of Squirrelcart which is available for download on our support page. It includes the security patch as well as support for VeriSign Payflow Pro, Link, and Cybersource. You can read more about it here:
http://www.squirrelcart.com/version_history.php

If you prefer to just patch your current version, a patch is also available in the "Patches" section of the support page for all versions of Squirrelcart to date.

[rjwmotor]

In the patch, it says:
Installation instructions:
------------------------------------------------------------------------------------------
1. Backup your files as described in the documentation:
http://www.squirrelcart.com/help

2. Upload the included squirrelcart folder to the same location as your existing one.

Do you upload the new folder INTO the existing Squirrelcart folder?
This is probably a stupid ? but I needed to ask it.

[Jamie]

Hi rjwmotor,

No questions are stupid here. The squirrelcart folder in the patch is meant to be a match to the one on your site. So, if the path to your squirrelcart folder on your website is:

htdocs/squirrelcart

Then you would upload the squirrelcart folder to:
htdocs/

You'll be prompted to overwrite existing files, which is fine, as long as you made a backup.

[rjwmotor]

I've tried backing up my database to apply the patch but it keeps telling me:
Unable to create MySQL dump file.
What to do?
I've backed up this database before without incident so I don't know what's going on.

[Jamie]

Hi,

This patch is strictly files only, so you should be OK without a DB backup. You may be getting that error if PHP doesn't know the path to the mysqldump command. You can specify the path to it in the config.php file as $mysql_path, such as:

$mysql_path = "/usr/local/bin/";

You'd have to ask your webhost for the correct path. Also, please not that setting that variable will not work in any version other than 1.6.0.