Our site www.viart.com site is operated by latest Viart Shop 5 with default Clear design
Topic Information
ViArt Team (Guest)
ViArt Team (Guest)
Brief.
We have made a fix of ideal_process.php after release 3.3 beta has been issued.
 
Description.
There was a vulnerability that allowed site visitor to know paths to certificates and private key of the merchant for iDEAL payment gateway.
All releases including 3.3 beta are vulnerable. Version 3.3 which will be released after this post is published has this script already fixed.
 
Solution.
Please download updated version of the file from here
http://www.viart.com/downloads/ideal_process-3.3.zip
Then extract files into the folder 'payments' of your shop replacing existing one.
Don't forget to make a backup copy of existing file in case something will go wrong.
Last modified: 8 Oct 2007 8:00 PM
 
splatcat
splatcat
I am using version 3.2, can this fix be used for that?
 
Eugene (Guest)
Eugene (Guest)
Hi,
 
iDEAL process script fix can be applied for release 3.2 and 3.3 beta fluently.
For all other older releases it may work too but you should thoroughly test it before using in live mode.
 
WBR,
ViArt Support Team
 
SajMalik
SajMalik
Hello Eugene
 
Forgive my ignorance - I am a marketing person and not as experienced in this area as many users.
 
I have two questions:
 
1: If I do not [ever] propose to use iDEAL for checkout I presume I can simply delete it?
 
2: Is this how the hacker inserts the code and will deleting this file, therefore, solve the problem for me?
 
Thanks, Chris
 
Eugene (Guest)
Eugene (Guest)
Hi,
 
Here are some more clarifications.
 
The fix of payments/ideal_process.php was issued to prevent iDEAL payment module to compromise iDEAL merchant's certificates and key if they are accessible via HTTP protocol. It doesn't give an opportunity to upload a malicious code to your web site.
 
So the answers to your question are:
1. If you don't expect to use any payment, shipping or some other module you can just remove it from web server.
2. The script ideal_process.php doesn't allow hacker to insert the code, so removing of the script won't effect your problem in any case.
 
WBR,
ViArt Support Team