Multiple PHP vulnerabilities, MD5 Hash End of Life and PHP 5.6 and 7.0 Discontinued: How It Affects Your X-Cart Store
Multiple Vulnerabilities Discovered in PHP
This September, multiple vulnerabilities have been discovered in all supported PHP versions.
Some of them are classified as posing HIGH risk for small, medium, and enterprise eCommerce businesses. Rephrasing it: everyone is at risk.
The PHP developers have urgently released the patched up versions and are strongly recommending every server administrator to update as soon as possible.
SYSTEMS AFFECTED:
- PHP 7.1 versions prior to 7.1.32 (compatible X-Cart 4.7.10+; 5.3.3.0+)
- PHP 7.2 versions prior to 7.2.22 (compatible X-Cart 4.7.10+; 5.3.4.5+)
- PHP 7.3 versions prior to 7.3.9 (compatible X-Cart 5.4.0+)
RECOMMENDATIONS:
- Contact your hosting provider and upgrade to the latest version of PHP immediately, after appropriate testing.
- Verify no unauthorized system modifications have occurred on system before applying the patch.
- Apply the principle of Least Privilege to all systems and services.
MD5 Hash End of Life and Signature Key Replacement
As we’ve previously mentioned in our blog, Authorize.Net are phasing out MD5-based hash. It is to be replaced by the SHA-512 based hash utilizing a Signature Key.
Back in February, they removed the MD5 Hash setting from the user interface. It still worked but only for those who already had it configured.
The final step is coming soon, they will stop sending the MD5 Hash data element in the API response. Authorize.Net have already prepared the changes and are now testing them. The switch will happen on June 27, 2019 – the changes will be released to production.
We have prepared the necessary patches for the X-Cart 4 a.k.a Classic users. So if you use AuthorizeNet SIM and/or AuthorizeNet Echeck, you already have them in your File Area in HelpDesk.
If you use AuthorizeNet AIM/CIM/DPM, please contact our support team, they will help you make the necessary changes.
We strongly recommend you to start with the patches now, so that your store is ready for the upcoming changes.
PHP 5.6 and 7.0 Discontinued
In December, 2018, support of two PHP versions (PHP 5.6 and PHP 7.0) has been discontinued. What does it mean for you as an eCommerce business owner? Let’s dig in.
Introduction
Let us first work out how PHP branches are normally supported.
Each branch of PHP is fully supported for two years after its official release. During these two years, all the bugs and security issues are fixed and timely released with a next update.
After this period is over, each branch is supported for major vulnerabilities for one more year.
So this is the regular three-year cycle of life of a PHP branch.
What are your risks if you don’t update?
First of all – and this is probably the most major issue – if you host your eCommerce store at a webserver with PHP 5.6 or PHP 7.0, your site security can be compromised any moment. Meaning you can’t guarantee your clients’ data safeness. Nor can anyone guarantee your store won’t be hacked.
Second of all – and it is of major importance, too – your site speed won’t improve. Here is the fact: your store will be much faster with the freshest PHP versions.
When I say “much faster”, I’m not exaggerating a tad. Sites that run on a server with PHP 7.3 are 31% faster than those running on PHP 7.0 and 3 times faster than those on PHP 5.6. (resource)
Moreover, your hosting company may upgrade the PHP version of the server anytime as they can’t allow their servers to be vulnerable, either. Such an upgrade will definitely cause your site’s failure. The downtime may take up to several weeks until you apply the necessary patches to make your store compatible.
You don’t have to risk losing a month worth of sales. We wouldn’t want you to face any of those problems so we’re offering a few options below, pick any.
PHP 7.1/7.2/7.3, and MySQL8 compatibility
To make your store compatible with the latest versions of PHP and MySQL, you can take either of the below paths:
Compatibility patches
You can apply the patches available in your HelpDesk account > X-Cart > X-Cart supporting files for prev versions -> {Your X-Cart branch} > {Your X-Cart version} > Updates and patches. You should look for the file named php71x-73x-mysql8-2018-11-28_4.x.x.tgz.
After you apply the patches, please clear the cookies: run https:///cleanup.php or remove var/templates_c/ dir.
If your X-Cart version is 4.7.5 or lower, you will need to apply the PHP 7.0 compatibility patch first and PHP 7.1-7.3 patch right after.
Please note, after you apply the patches, you will need to contact your hosting provider and ask them to upgrade your server PHP and MySQL versions to the latest available.
Not only do these patches make your online store compatible with the freshest version of PHP, but also provide compatibility with MySQL 8.0, which ensures even smoother and faster work. To be exact, twice faster than if they run on a server with MySQL 5.6.
That said, your site gets 4x to 5x total boost if you update both PHP and MySQL versions to the latest ones.
Along with the speed and performance improvement, you get higher ranks on Google, which won’t hurt your sales, either. Google takes into consideration a site’s overall speed and performance, meaning the smoother your online store runs, the higher ranks you get on Google.
So the maths is plain: better performance + higher speed + higher position on Google = better conversions.
The good news is the patches are free and available to all users of X-Cart Classic. Even if you don’t feel confident enough to apply them yourself, you can always – 24/7 – contact our support team for assistance.
Software upgrade
You may want to upgrade your store to X-Cart 4.7.10. It is already fully compatible with PHP 7.1 and above, MySQL 8 and MariaDB, so no need to apply the patches.
Or else, you may consider switching to the new progressive X-Cart 5 that regularly receives security and performance updates within its automatic upgrades. For sure, it is already compatible with the latest MySQL/MariaDB and PHP as well. Doesn’t it seem like it saves time and effort as well?
Either way, you get all the benefits described above plus a bunch of new features and improved look and performance for your store at the same time.
Switch to another server
Ours, for instance.
Our servers are trimmed to host X-Cart so we can guarantee better performance and speed than any other hosting provider can offer. That all goes with extra customer care 24/7.
If you decide to switch to our servers, we will make the transfer swiftly, professionally, without any downtime whatsoever – and for free. You won’t have to move a finger – what’s the hosting team for, after all?
Along with the transfer, we’ll apply the PHP7.3 and MySQL8/MariaDB compatibility patches for you with a considerable discount (up to 100% depending on your X-Cart version) and make sure your store is up and running.