osCMax Security Update - XSS flaw patched

[michael_s]

A new blog entry has been added:

[drupal=266]osCMax Security Update - XSS flaw patched[/drupal]

An XSS security flaw has been found in osCMax, specifically the printable catalog module. The flaw is in all 2.0 versions, including RC3, RC3.0.1, RC3.0.2, and RC4 SVN.

[mfleeson]

Just to say Many many thanks.

Mark

[michael_s]

No problem, now get that patch installed before something bad happens

[mfleeson]

Done and tested on my two stores before I wrote on the forum. Cheers. M

[MindTwist]

Now to do some file comparing... Any hints on what code to change? My printable catalog with images is a bit customized, so I would have to compare my original file with the updated one to see what changes have been made, and apply.

Thanks!

[MindTwist]

Forget my post, doing a file compare brought up the differences really quick

[jquach]

Thanks for PMing about this security fix. Much appreciated.

[seaserver]

I've created custom templates for all my stores and do not use the fallback template. Do I still need to apply the fix?

[michael_s]

@seaserver: yes, you need to replace the fallback template file and if you also created custom content template files that have a catalog_products_with_images.tpl.php template, you will have to replace each one with this new file. Remember that if you don't create a custom content template file in your custom template folder, your custom template will grab the content template from the fallback directory. That is why it is called fallback... the system falls back to the fallback template if it cannot find a custom content template.

Here is a diff so you can see what was removed/added:
r89 - oscmax2 - Google Code

[ecom]

FTP upload the included file to the /catalog/templates/fallback/content/ directory, overwriting the existing file.

im using the oscommerce-2.2rc2a ..didnt find template directory ..so ..
where do i overwrite the file?