Brief
We have updated the following files for releases starting from 2.8.
items_properties.php
order_items_properties.php
shopping_cart.php
 
Description.
There was a critical bug with possibility to insert malicious code in SQL query and get access to your admin scripts.
 
In case attackers get access to your admin section the message like below can appear on your home page and other site pages:
Notice: Undefined index: aaa in /home/.../includes/common_functions.php(1183) : eval()'d code on line 2
and malicious code can appear in the Footer Body at Administration > Global Settings
 
Solution.
We would recommend you to download an updated version of the files from here for your release.
If you have a different version or patches doesn't work for you please contact our Support Team.
http://www.viart.com/downloads/includes-2.8.zip
http://www.viart.com/downloads/includes-3.0.1.zip
http://www.viart.com/downloads/includes-3.1.zip
http://www.viart.com/downloads/includes-3.2.zip
http://www.viart.com/downloads/includes-3.3.1.zip
http://www.viart.com/downloads/includes-3.3.2.zip
http://www.viart.com/downloads/includes-3.4.zip
http://www.viart.com/downloads/includes-3.4.2.zip
http://www.viart.com/downloads/includes-3.4.5.zip
http://www.viart.com/downloads/includes-3.4.7.zip
http://www.viart.com/downloads/includes-3.5.zip
 
Further, extract the above mentioned files into the 'includes' folder of your shop replacing existing ones. Don't forget to make backup copies of the current files in case something goes wrong.
 
Go to your Administration > System > Global Settings and uncheck all checkboxes for 'Allow to run PHP code in'. Check your 'Greetings / Introduction' and 'Footer body' for malicious php code and delete it (if there is any).
 
Change all your shop admin passwords. Do the same for your FTP accounts as well.
 
Also it's recommended to use MD5 encryption for your passwords but please note that an MD5 algorithm is a one-way encryption and it's impossible to decrypt passwords if you select this option.
Password Encryption can be changed via Administration > System > Global Settings.
 
Also it's recommended to rename a default 'admin' folder to a different name, like 'myAdminControl'.

I copied the new files to includes folder but when I went to my web site and click on a product, it gave me a db error message. I have to copy those old files back to make my site works again. I have unchecked all "allow to run php" in global setting though.

By the way, I'm running 3.4.7

I would like to thank Viart for these fixes. It was I who got hacked and Viart had this fixed within hours of notification today.
 
I urge everybody to install these fixes because it can happen to you.

Good work ViArt and on2dvd for alerting ViArt Support.
 
We all appreciate this fix.

Hello Tw,
 
We've re-checked a fix for version 3.4.7 from http://www.viart.com/downloads/includes-3.4.7.zip and can confirm that it should work ok.
 
If your problems persist, please send us your FTP details so we can investigate your issue.
 
Thanks,
Yoda

Just checking does the MD5 encryption affect both user and admin passwords or can you decide to encrypt admin ones but still have the option to view user ones.
 
Regards,
 
Dave

Sorry me again. If changing the name of admin folder is there somewhere I can advise the system of this change so all the links rvert to the correct address in admin?
 
Dave

Master Yoda,
 
Regarding unchecking 'Allow to run PHP code in' for 'Greetings / Introduction' and 'Footer body'.
 
Is it necessary to keep this unchecked for ongoing security assurance?
 
Also, what about 'Custom Blocks' and 'Custom Pages'?

Hello Five5, Dave,
  
The most important thing here is to check whether you have any malicious code in the places where a PHP code can be run, like 'Greetings / Introduction' and 'Footer body'. We found that attackers in all cases use 'Footer body' and add their codes there to have a full control over your site. In case you need the possibility to run a PHP code then for sure you can use this option. However, firstly ensure that your PHP code is available and not an alien one.
  
At present this option affected both admin and users passwords.
  
It shouldn't be a problem if you change your folder name to anything else than 'admin' and you always have an option to change it back.
 
Thanks,
Yoda

I was hacked yesterday.

Hi!
When I change, the admin folder name, the admin menu items links are breaked. How to change the settings so all the admin links can work correctly?
 
Thank you

Yes, I attempted this change as well, and changing the folder breaks the links.

Yep, changing folder name breaks the links for some sites.
 
I think this only happens if you have added multi site and only the second site is affected not the first. I have changed the name anyway until this has settled down just for now as you never if somebody dodgy has read the security email yesterday. A bit tiresome but you can always manually type the new address in should you need admin access to th second site. I presume changes will need to be made so that admin folder can be changed for all sites ensuring all links work. e.g /newfolder/adminpage.php rather than url/newfolder/adminpage.php
 
Only guessing though as not a techie to be honest !

Yes, when I went to multi sites I found that I needed the same named folder in each site for my admin files.
 
Each admin works independently and the main admin appears to want each other site to be likewise named.
 
Chris

Hello,
 
Usually, changing the folder name shouldn't bring customers any problems, but in case you have any broken links or other problems with your admin scripts please send us your site FTP/admin details so our support team can check and fix this issue.
 
Thanks,
Yoda

The admin folder name should be a setting in the general options so that the links (which are hard coded to /admin/ are changed accordingly.
 
We updated the patched files to our shop (not hacked) and all seems to work well. We did not rename the admin dir as it provides too many issues with broken links in admin console.
 
Hope with this patch we are OK now.
 
Cheers!
 
DickS

After new fix, firefox doesn't store cookies correctly. Loses login information

Did someone change the admin folder name with success? If yes, what are the steps? Thank you in advance.
 
Also I want to let Viart Support team to know that serious company will not share admin information or ftp information with them because of some sensible information. So they have to find a way to fix issues without asking login information.
 
Cheers!

My admin folder has always been named something else as I guessed it wasn't wise to be called admin
 
All I did was rename it and then instead of browsing for www.mydomain.com/admin, I call it up with www.mydomain.com/something_else
 
I've never had a problem with my admin being something_else

PS: I don't use multi-site

Hello Dan and Minista,
 
Please, find below our answers:
  
Actually, a new fix doesn't relate to cookies and session; therefore we think that it is unlikely that it somehow affects cookies.
  
We do not oblige our clients to send the Admin/FTP login, however if we have valid access, we'll able to find and fix the problem faster. In addition, you can create temporary login data for us to check and remove the data when the problem is fixed or the answer is received. Usually, there are quite a lot of various server configurations which can be found and corrected only if we have necessary data from you and of course it will simplify the process.
 
With kind regards,
ViArt Support Team
 
 
 

With regard to the folder name change. I was logged in to admin, made the folder name change and the links didn't work. However after logging out of admin and then logging back in the all admin links updated to the new folder name.
 
Hope this helps

Thanks Freezer. Your solution works.
 
Regards

anyone having problems with option prices not showing in cart after this fix or is it just me
Version 3.5

I uploaded the files and changed my admin password b ut find, when starting my site, that sometimes it tries loading pinoc.com and hangs.
 
I have put in a ticket for help but others may want to know this and watch for it.