Jump to content
MrPhil

jQuery vulnerability -- upgrade needed

Recommended Posts

jQuery has a (recently patched) vulnerability to "prototype pollution" attacks, which can be used to escalate authority of hackers and do nasty things.

Article: https://www.zdnet.com/article/popular-jquery-javascript-library-impacted-by-prototype-pollution-flaw/

Quote

Tal, who worked with the Node.js team to report the bug to the jQuery team, recommends that web developers update their projects to the latest jQuery version, v3.4.0.

Today, most websites are still using the 1.x and 2.x branches of the jQuery library, which means that the vast majority of jQuery-based apps and websites are still open to attacks.

The article goes on to note that there have been some API changes since v1 and v2, so upgrading jQuery is more than just dropping in a new library.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozenpatches or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

Note that CE has been on the 3.x jQuery for over 2.5 years. 

CE is presently on 3.3.1 (edge) and 3.1.1 (frozen), easy way to check external libraries on the Wiki;

https://github.com/gburton/Responsive-osCommerce/wiki/External-Libraries


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites
Posted (edited)
6 minutes ago, burt said:

Note that CE has been on the 3.x jQuery for over 2.5 years. 

CE is presently on 3.3.1 (edge) and 3.1.1 (frozen), easy way to check external libraries on the Wiki;

https://github.com/gburton/Responsive-osCommerce/wiki/External-Libraries

not in the admin, still on 2.x branch,  ui is also out of date now at 1.12.1 

jquery-2.2.3.min.js

jquery-ui-1.10.4.min.js

Edited by puddlec

Share this post


Link to post
Share on other sites

just had a quick look to see what i could see  in terms of jquery

also seen references to 1.x branch 

  document.write('<scr' + 'ipt src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></scr' + 'ipt>');

was found in admin/paypal.php

admin/orders.php

admin/includes/modules/dashboards/d_paypal_app.php

catalog/includes/modules/payment/paypal_pro_dp.php

catalog/includes/modules/payment/paypal_pro_hs.php

 

jquery 2.x in

admin/includes/template_top 

 

jquery 3.x in

catalog/includes/template_bottom.php

 

that covers all the references to jQuery that i have found (based on latest version of edge) 

Share this post


Link to post
Share on other sites
Quote

Taking into account that there's some syntax breakage between the three major versions and that web developers would rather throw acid on their face than re-write their frontends, most websites are bound to continue to use older versions for the foreseeable future.

Fortunately, the patch has been backported to previous releases.

https://github.com/DanielRuf/snyk-js-jquery-174006


 

 

Share this post


Link to post
Share on other sites
3 hours ago, puddlec said:

not in the admin, still on 2.x branch,  ui is also out of date now at 1.12.1 

jquery-2.2.3.min.js

jquery-ui-1.10.4.min.js

Admin side is not started. 

Waiting on more support from individuals and companies using osCommerce, in order to march forward.


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×