AgoraCart Security Updates

Stores using 4.0K Public Release and above do not have to worry about this issue unless they manually activate it with in the code. 4.0K Public Releases have this feature removed from the Store Manager Area.

Stores running in debug mode print error messages to the web browser in addition to the log files. Some of these error messages could give clues to would-be hackers. The best thing to do is to not run a real store in debug mode! It says not to run the store in debug mode in the manager's main store settings page, so this should be no surprise to anyone running an agora.cgi store.

This is a highly recommended security update. It puts the store in 'paranoia' mode, a variety of characters are filtered out to prevent potential problems. The Cross-Site Scripting vulnerability demonstrations (erroneously described as running on 3.x stores) don't work with this patch installed. While the Cross-Site vulnerability information regarding agora.cgi contains a lot of incorrect information and only a handful of 4.0x versions were affected in debug mode, that does not mean this patch is not needed. It should be installed on all sites running versions prior to 4.0h as it has recently been updated to handle options properly.

Although it is not designed to fix any specific known issue with live stores running in standard (non-debug) mode (other than turing off the versions command in non-debug mode), because a variety of attacks have been attempted across the world wide web this library serves as a very prudent measure to help tighten store security. No store version 3.0a through 4.0g should run without it!

To install this file, place it in the custom sub-directory... and you are ready to go.
Notes: Versions 4.0h and above come with the current wrapper files.

Wrapper version 3.0a has been created, it automatically checks that the suid bit owner and the executed file's owner are the same. These wrappers are included in versions 4.0h and above by default.

Version 2.0b is also OK to use, but the full path to the cgi needs to be specified before compiling the program.

If you are not sure what ID scripts run under within your hosting account, try the test_id.cgi script. Directions are within the file itself. Download link is below for the testid.zip file.

For some older Linux systems that do not allow the SUID bit to be set, we have pre-compiled wrappers for 2.0 series kernals and 2.2 series kernals (we've also used these on FreeBSD and new Linux machines as well). See the warpper readme file (link below) for more details.

• Wrapper Update - wrapper30a.zip
• Version 2.0b Working Wrappers - wrappers20b.zip
• Pre-Compiled 2.0 kernal Wrappers - linux_20_wrap.tar
• Pre-Compiled 2.2 kernal Wrappers - linux_22_wrap.tar
• Test for ID used script - testid.zip

Consult the Online manual, Wrapper Readme file or the DOCS directory of the store for install instructions.