Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

jQuery vulnerability -- upgrade needed


MrPhil

Recommended Posts

jQuery has a (recently patched) vulnerability to "prototype pollution" attacks, which can be used to escalate authority of hackers and do nasty things.

Article: https://www.zdnet.com/article/popular-jquery-javascript-library-impacted-by-prototype-pollution-flaw/

Quote

Tal, who worked with the Node.js team to report the bug to the jQuery team, recommends that web developers update their projects to the latest jQuery version, v3.4.0.

Today, most websites are still using the 1.x and 2.x branches of the jQuery library, which means that the vast majority of jQuery-based apps and websites are still open to attacks.

The article goes on to note that there have been some API changes since v1 and v2, so upgrading jQuery is more than just dropping in a new library.

Link to comment
Share on other sites

6 minutes ago, burt said:

Note that CE has been on the 3.x jQuery for over 2.5 years. 

CE is presently on 3.3.1 (edge) and 3.1.1 (frozen), easy way to check external libraries on the Wiki;

https://github.com/gburton/Responsive-osCommerce/wiki/External-Libraries

not in the admin, still on 2.x branch,  ui is also out of date now at 1.12.1 

jquery-2.2.3.min.js

jquery-ui-1.10.4.min.js

Phoenix support now at https://phoenixcart.org/forum/
App created for phoenix
TinyMCE editor for admin

 

Link to comment
Share on other sites

just had a quick look to see what i could see  in terms of jquery

also seen references to 1.x branch 

  document.write('<scr' + 'ipt src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></scr' + 'ipt>');

was found in admin/paypal.php

admin/orders.php

admin/includes/modules/dashboards/d_paypal_app.php

catalog/includes/modules/payment/paypal_pro_dp.php

catalog/includes/modules/payment/paypal_pro_hs.php

 

jquery 2.x in

admin/includes/template_top 

 

jquery 3.x in

catalog/includes/template_bottom.php

 

that covers all the references to jQuery that i have found (based on latest version of edge) 

Phoenix support now at https://phoenixcart.org/forum/
App created for phoenix
TinyMCE editor for admin

 

Link to comment
Share on other sites

Quote

Taking into account that there's some syntax breakage between the three major versions and that web developers would rather throw acid on their face than re-write their frontends, most websites are bound to continue to use older versions for the foreseeable future.

Fortunately, the patch has been backported to previous releases.

https://github.com/DanielRuf/snyk-js-jquery-174006

 

 

Link to comment
Share on other sites

3 hours ago, puddlec said:

not in the admin, still on 2.x branch,  ui is also out of date now at 1.12.1 

jquery-2.2.3.min.js

jquery-ui-1.10.4.min.js

Admin side is not started. 

Waiting on more support from individuals and companies using osCommerce, in order to march forward.

Link to comment
Share on other sites

  • 3 months later...
On 4/25/2019 at 3:17 PM, burt said:

Note that CE has been on the 3.x jQuery for over 2.5 years. 

CE is presently on 3.3.1 (edge) and 3.1.1 (frozen), easy way to check external libraries on the Wiki;

https://github.com/gburton/Responsive-osCommerce/wiki/External-Libraries

Hi Burt,

I have an old 2.3.4 version (always under jquery-2.2.3) and when I try to update by jquery-3.4.x, I have issues with :
data-toggle="dropdown"
- data-toggle="tab"
- modal cart module
etc

What are the changes to operate to be in line with the new version of jquery ?
Is it necessary to update Bootstrap version too to make the new jquery version works or no consequence ?

Thank you for your time.

Osc v2.3.4 BS "custom"
PHP 7.3 compatible (710 modified files => o_O')

Link to comment
Share on other sites

  • 1 month later...

I have BS Edge running on PHP 7.2 and decided to try updating the jQuery version from 3.1.1 to 3.4.1 on the catalog side.

I cannot see any issues at this point. The checkout seems to work fine and nothing seems to be off.

Is there anything in particular I should be looking for? Nothing seems to be breaking the site or causing problems.

And, are there any other changes I need to make, other than adding the new jQuery 3.4.1 file to /ext/jquery/ folder and changing the call for that file in /includes/template_top.php?

 

osCommerce: made for programmers, ...because store owners do not want to be programmers.

https://trends.google.com/trends/explore?date=all&amp;geo=US&amp;q=oscommerce

Link to comment
Share on other sites

  • 2 weeks later...

hi Phil,

Quote

The article goes on to note that there have been some API changes since v1 and v2, so upgrading jQuery is more than just dropping in a new library.

What API changes are there? As I mentioned in the post above, I installed the latest jQuery v3.4.1 and everything is running smooth. Are there any other changes I need to make?

osCommerce: made for programmers, ...because store owners do not want to be programmers.

https://trends.google.com/trends/explore?date=all&amp;geo=US&amp;q=oscommerce

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...