Early this morning, at approximately 9:45 AM GMT, Devellion released a security patch for CubeCart V4. The patch prevents a malicious user from initiating a Cross Site Scripting attack. The patch only affects a single file. We recommend that you apply the patch immediately. The patch will not affect our skins in any way.

Procedure

1. Open: ini.inc.php (found in your store’s root directory). 2. Find:
    function safety($val) {
        ## strip null bytes
        $val = str_replace("", '', $val);
        ## add slashes if magic quotes is off
        $val = (!get_magic_quotes_gpc()) ? addslashes($val) : $val;
        //return htmlspecialchars(strip_tags($val), ENT_NOQUOTES);
        return $val;
    }
3. Replace With:
    function safety($val) {
        return filter_var($val, FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES);
    }

Who’s Affected?

If you are using any release of CubeCart V4 (inc. V4.3.1) prior to V4.3.1-pl1 (released today), you should apply the patch above. Please note that you do not need to update to CubeCart V4.3.1-pl1 if you apply the patch above. If you have any questions, please open a support ticket via our Help Desk.