• I am seeing repeated Who's Online entries with autoLoadConfig or http in the URL

    In older versions of Zen Cart (v1.3.0,, there was a vulnerability in the code which was announced to the hacker world. Even though that has been fixed in subsequent versions, newbie hackers continue to attempt to find sites which have the vulnerability, thus wasting your time and energy worrying about what they're up to.  Their access attempts also waste some of your website server resources.

    Additionally, there are a number of SQL Injection attacks floating around the internet which attempt to find holes to exploit in vulnerable systems. The current version of Zen Cart is inoculated against all such known vulnerabilities.  Nevertheless, sometimes even the "attempts" at hacking (even though they failed) can show up in server logs and whos-online entries, which can be confusing or even alarming to some storeowners.  Thus the following code alteration can provide some peace of mind:

    If you are using Zen Cart version 1.3.x, adding the following to the top of your /includes/application_top.php file will help ignore those visitors and free up system resources consumed by their access attempts:

    Line 1 of /includes/application_top.php contains:  "<?php".
    Add this starting on line 2:
     * inoculate against hack attempts which waste CPU cycles
    $contaminated = (isset($_FILES['GLOBALS']) || isset($_REQUEST['GLOBALS'])) ? true : false;
    $paramsToAvoid[] = 'autoLoadConfig';
    $paramsToAvoid[] = 'mosConfig_absolute_path';
    $paramsToAvoid[] = 'hash';
    $paramsToAvoid[] = 'main';
    foreach($paramsToAvoid as $key) {
      if (isset($_GET[$key]) || isset($_POST[$key]) || isset($_COOKIE[$key])) {
        $contaminated = true;
    $paramsToCheck = array('main_page', 'cPath', 'products_id', 'language', 'currency', 'action', 'manufacturers_id', 'pID', 'pid', 'reviews_id', 'filter_id', 'zenid', 'sort', 'number_of_uploads', 'notify', 'page_holder', 'chapter', 'alpha_filter_id', 'typefilter', 'disp_order', 'id', 'key', 'music_genre_id', 'record_company_id', 'set_session_login', 'faq_item', 'edit', 'delete', 'search_in_description', 'dfrom', 'pfrom', 'dto', 'pto', 'inc_subcat', 'payment_error', 'order', 'gv_no', 'pos', 'addr', 'error', 'count', 'error_message', 'info_message', 'cID', 'page', 'credit_class_error_code');
    if (!$contaminated) {
      foreach($paramsToCheck as $key) {
        if (isset($_GET[$key]) && !is_array($_GET[$key])) {
          if (substr($_GET[$key], 0, 4) == 'http' || strstr($_GET[$key], '//')) {
            $contaminated = true;
          if (isset($_GET[$key]) && strlen($_GET[$key]) > 43) {
            $contaminated = true;
    unset($paramsToCheck, $paramsToAvoid, $key);
    if ($contaminated)
      header('HTTP/1.1 406 Not Acceptable');
    /* *** END OF INNOCULATION *** */

    Using this code change will not affect good visitors such as search engines, as long as they are attempting to access legitimate content on your site.  It simply blocks rogue behavior.

    Applicable to Zen Cart versions: 1.3.0,,, 1.3.5, 1.3.6., 1.3.7, 1.3.8.
    This suggested code change (or a variation on it) are included in Zen Cart v1.3.9 and newer.

    Thanks to forum member smb for the initial concept from which this change was fashioned and has grown.

Zen-Cart, Internet Selling Services, Klamath Falls, OR