Squirrelcart Security Patch #SC090805
Release date: 08/05/2009

XSS (Cross Site Scripting) vulnerability patch
Affected Squirrelcart versions: v2.0.0 - 3.0.1

How to find your version number:
---------------------------------------------------------------------
You can locate your Squirrelcart version in the upper right hand corner of your control panel.


Patch Info and Instructions
---------------------------------------------------------------------
This is a patch for protecting against a XSS (Cross Site Scripting) vulnerability that was discovered on 08/05/2009.

You can get more information on XSS vulnerabilities here: http://en.wikipedia.org/wiki/Cross-site_scripting

This would be considered a "Type 1" vulnerability, which according to Wikipedia is as follows:

	This kind of cross-site scripting hole is also referred to as a non-persistent or reflected vulnerability, and is by far the most 
	common type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page 
	of results for that user. If unvalidated user-supplied data is included in the resulting page without HTML encoding, this will 
	allow client-side code to be injected into the dynamic page. A classic example of this is in site search engines: if one searches
	for a string which includes some HTML special characters, often the search string will be redisplayed on the result page to indicate 
	what was searched for, or will at least include the search terms in the text box for easier editing. If all occurrences of the 
	search terms are not HTML entity encoded, an XSS hole will result.

	At first blush, this does not appear to be a serious problem since users can only inject code into their own pages. 
	However, with a small amount of social engineering, an attacker could convince a user to follow a malicious URL which injects 
	code into the results page, giving the attacker full access to that page's content. Due to the general requirement of the use of 
	some social engineering in this case (and normally in Type 0 vulnerabilities as well), many programmers have disregarded these 
	holes as not terribly important. This misconception is sometimes applied to XSS holes in general (even though this is only one 
	type of XSS) and there is often disagreement in the security community as to the importance of cross-site scripting vulnerabilities.

While this patch will protect against this vulnerability, it's always a good idea to keep your installation up to date. 
Upgrading to the latest Squirrelcart release (v3.0.2 as of this writing) will provide protection against this vulnerability and also fix all known bugs to date. 
If you are running version 2.0.0 - 3.0.1 and prefer not to upgrade, you can apply this patch by following the instructions below.

Instructions for applying patch:
1. Backup your installation
2. Locate the folder in this patch corresponding to the version of Squirrelcart you are running
3. Inside that folder you will find a single file. Upload that file to the "squirrelcart/functions/storefront/common/catalog_viewing/" folder on your server, overwriting the file already present

If you need assistance regarding this, please contact us using our helpdesk:
https://www.ldev.com/helpdesk/