Site Map security fix and friendly URLs support for release 3.3.*

Menu

Our site www.viart.com site is operated by latest Viart Shop 5 with default Clear design

Topic Information

ViArt Team (Guest)

12 Dec 2007 5:47 PM

Brief.
We have slightly modified the following scripts after release 3.3.2 has been issued:
site_map.php
blocks/block_site_map.php

Description.
You may experience a hack attempt if the below settings are specified in the php.ini file:
register_globals = On
Also we've added support for friendly URLs in Site Map block. Friendly URLs settings can be found in Admin Panel in System > Global Settings section.

Solution.
We would highly recommend to download an updated version of the files from here: http://www.viart.com/downloads/site_map-3.3.2.zip

Further, extract the above mentioned files into the root folder of your shop replacing existing ones. Don't forget to make backup copies of the current files in case something goes wrong.

In addition, we can advise you to check register_globals setting in php.ini and set it to "Off" (if your software allows you to do that).

Last modified: 19 Dec 2007 10:03 PM

8thSinCoffee

13 Dec 2007 3:25 PM

Is this a problem in 3.2 as well?

emresonmez

13 Dec 2007 3:38 PM

where is the php.ini located in the software?

SajMalik

13 Dec 2007 3:40 PM

Sorry that I am not really savvy in this area
My php.ini does not have the line register_globals =
Should still append the line:
register_globals = Off ?

Chris

Anjula

13 Dec 2007 3:58 PM

Hello,

The php.ini file is usually located on your server. In case you do not have an access to this file, then it is enough to download the patch and replace your current files with the new ones.

Please, also note that this patch is valid only for version 3.3 and higher. Older versions do not have this vulnerability.

With kind regrads,
ViArt Support Team

Ibn Saeed

13 Dec 2007 5:47 PM

You would have to ask your host for the changes in register_globals.

Ned

14 Dec 2007 8:43 AM

Clicking on Eugenes link at the top of this thread redirects me to http://www.viart.com/friendly_url.php although the page source in Firefox shows me that the link above is indeed pointing to the zip file. So it looks like the redirection is broken.

Eugene (Guest)

14 Dec 2007 9:14 AM

Thanks for reporting a problem. We have fixed download link.

Eugene (Guest)

19 Dec 2007 2:25 PM

Hi all,

We have updated the site_map-3.3.2.zip package, and it includes updated block_site_map.php. This script now supports friendly URLs settings that can be set via Admin Panel in System > Global Settings.

WBR,
ViArt Support team

ansuk

20 Dec 2007 1:05 PM

Fantastic news Eugene

Ibn Saeed

21 Dec 2007 3:20 AM

Excellent

Thanks for the quick fix.

RogerS (Guest)

10 Mar 2008 8:37 PM

I had just implemented the sitemap, but was shocked to see the non-friendly URLs. Searched this forum, installed the patch - it worked like a dream!

freezer (Guest)

14 Jun 2008 10:29 AM

The server I run another site needs the globals on due to old coding.

Would it be feasible to eliminate the risk mentioned to add the folling line to a .htaccess file

php_value register_globals 0

Just for this domain

Regards,

Dave

eugene

17 Jun 2008 2:59 PM

Hi, freezer

Yes, you can try this method for turning off register_globals
However it's not obligatory after installing fix for Site Map block.

WBR,
ViArt Support Team