Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Heartbleed bug + 2012 fix applied in Paypal Checkout Confirmation


Biancoblu

Recommended Posts

Just a thought, due to the recent Heartbleed Bug it may be wise, for those that applied the excellent 2012 fix provided by @@Mort-lemur in this thread regarding paypal checkout confirmation, to update their OpenSSL certificate.

 

However I read that the OpenSSL 0.9.8 branch, which was used in the fix provided by Heather, should NOT be vulnerable.

 

I don't know if paypal checkout confirmation is still an issue in the newest Osc version, but for older versions it might be useful to consider.

 

 

~ Don't mistake my kindness for weakness ~

Link to comment
Share on other sites

You can also Check your server for vulnerability with these tools: http://filippo.io/Heartbleed/ and http://possible.lv/tools/hb/

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

Please note that this is not an osCommerce bug, but is a bug in the server software being used by your host.

 

To check which version of OpenSSL is being used, go:

 

admin > tools > server info

 

This brings up a large page which has a lot of information about your site and server. Scroll down until you find: "SSL Version"

 

Here you will see the exact version installed on the server. As far as I am aware versions of OpenSSL from 1.0.1 to 1.0.1f (inclusive) are problematic. If your server info page reports you as using one of these, you need to contact your host to ascertain if it has been patched or not.

Link to comment
Share on other sites

Just to expand on the above

 

What versions of the OpenSSL are affected?

 

Status of different versions:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

 

On one of my sites it shows shows

 

OpenSSL Version  OpenSSL 1.0.0-fips 29 Mar 2010

 

So in this case it isnot using one of the vunerable versions so nothing to do.

 

If it was OpenSSL 1.0.1 through 1.0.1f (inclusive) I would be on the phone to my hosts.

 

HTH

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...