Jump to content
MrPhil

jQuery vulnerability -- upgrade needed

Recommended Posts

jQuery has a (recently patched) vulnerability to "prototype pollution" attacks, which can be used to escalate authority of hackers and do nasty things.

Article: https://www.zdnet.com/article/popular-jquery-javascript-library-impacted-by-prototype-pollution-flaw/

Quote

Tal, who worked with the Node.js team to report the bug to the jQuery team, recommends that web developers update their projects to the latest jQuery version, v3.4.0.

Today, most websites are still using the 1.x and 2.x branches of the jQuery library, which means that the vast majority of jQuery-based apps and websites are still open to attacks.

The article goes on to note that there have been some API changes since v1 and v2, so upgrading jQuery is more than just dropping in a new library.

Share this post


Link to post
Share on other sites

Note that CE has been on the 3.x jQuery for over 2.5 years. 

CE is presently on 3.3.1 (edge) and 3.1.1 (frozen), easy way to check external libraries on the Wiki;

https://github.com/gburton/Responsive-osCommerce/wiki/External-Libraries


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites
Posted (edited)
6 minutes ago, burt said:

Note that CE has been on the 3.x jQuery for over 2.5 years. 

CE is presently on 3.3.1 (edge) and 3.1.1 (frozen), easy way to check external libraries on the Wiki;

https://github.com/gburton/Responsive-osCommerce/wiki/External-Libraries

not in the admin, still on 2.x branch,  ui is also out of date now at 1.12.1 

jquery-2.2.3.min.js

jquery-ui-1.10.4.min.js

Edited by puddlec

App created for phoenix
TinyMCE editor for admin

 

Share this post


Link to post
Share on other sites

just had a quick look to see what i could see  in terms of jquery

also seen references to 1.x branch 

  document.write('<scr' + 'ipt src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></scr' + 'ipt>');

was found in admin/paypal.php

admin/orders.php

admin/includes/modules/dashboards/d_paypal_app.php

catalog/includes/modules/payment/paypal_pro_dp.php

catalog/includes/modules/payment/paypal_pro_hs.php

 

jquery 2.x in

admin/includes/template_top 

 

jquery 3.x in

catalog/includes/template_bottom.php

 

that covers all the references to jQuery that i have found (based on latest version of edge) 


App created for phoenix
TinyMCE editor for admin

 

Share this post


Link to post
Share on other sites
Quote

Taking into account that there's some syntax breakage between the three major versions and that web developers would rather throw acid on their face than re-write their frontends, most websites are bound to continue to use older versions for the foreseeable future.

Fortunately, the patch has been backported to previous releases.

https://github.com/DanielRuf/snyk-js-jquery-174006


 

 

Share this post


Link to post
Share on other sites
3 hours ago, puddlec said:

not in the admin, still on 2.x branch,  ui is also out of date now at 1.12.1 

jquery-2.2.3.min.js

jquery-ui-1.10.4.min.js

Admin side is not started. 

Waiting on more support from individuals and companies using osCommerce, in order to march forward.


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites
Posted (edited)
On 4/25/2019 at 3:17 PM, burt said:

Note that CE has been on the 3.x jQuery for over 2.5 years. 

CE is presently on 3.3.1 (edge) and 3.1.1 (frozen), easy way to check external libraries on the Wiki;

https://github.com/gburton/Responsive-osCommerce/wiki/External-Libraries

Hi Burt,

I have an old 2.3.4 version (always under jquery-2.2.3) and when I try to update by jquery-3.4.x, I have issues with :
data-toggle="dropdown"
- data-toggle="tab"
- modal cart module
etc

What are the changes to operate to be in line with the new version of jquery ?
Is it necessary to update Bootstrap version too to make the new jquery version works or no consequence ?

Thank you for your time.

Edited by milerwan

Osc v2.3.4 BS "custom"
PHP 7.3 compatible (710 modified files => o_O')

Share this post


Link to post
Share on other sites

@milerwan I do not recall any issues like that, sorry.  Maybe you can update to Phoenix? 

And get rid of all the sliders on your home page, I have a headache now :D 


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites

I have BS Edge running on PHP 7.2 and decided to try updating the jQuery version from 3.1.1 to 3.4.1 on the catalog side.

I cannot see any issues at this point. The checkout seems to work fine and nothing seems to be off.

Is there anything in particular I should be looking for? Nothing seems to be breaking the site or causing problems.

And, are there any other changes I need to make, other than adding the new jQuery 3.4.1 file to /ext/jquery/ folder and changing the call for that file in /includes/template_top.php?

 


osCommerce: made for programmers, ...because store owners do not want to be programmers.

https://trends.google.com/trends/explore?date=all&amp;geo=US&amp;q=oscommerce

Share this post


Link to post
Share on other sites

hi Phil,

Quote

The article goes on to note that there have been some API changes since v1 and v2, so upgrading jQuery is more than just dropping in a new library.

What API changes are there? As I mentioned in the post above, I installed the latest jQuery v3.4.1 and everything is running smooth. Are there any other changes I need to make?


osCommerce: made for programmers, ...because store owners do not want to be programmers.

https://trends.google.com/trends/explore?date=all&amp;geo=US&amp;q=oscommerce

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×