IMPORTANT ADMIN SECURITY PATCH -- security_patch_v138_20090619.zip

[wilt]

Hi,

A SERIOUS vulnerability has been discovered in the admin section of v1.3.8 (and previous versions). To take advantage of this vulnerability any attacker must know the URL of your admin section. As our security recommendations point out, you should change the folder that your admin resides in as soon as you installed Zen Cart.

However we realise that relying on this 'Security through Obscurity' is not foolproof, hence the release of this patch.

A link to the patch file is posted below. Please download the patch file and unzip it. The zip file contains a readme.html with full details on how to install the security patch files. In the main, the security patch uses Zen Cart's override system to make installation as simple as possible.

If your "Admin" folder is still named /admin/ then YOU NEED TO INSTALL THIS PATCH, *AND* you need to rename your admin folder!



IMPORTANT NOTE:
As with all Zen Cart zip files, there are Directories/Folders embedded in the zip. So, when you expand/unzip, you MUST tell your unzip program to expand the folders too! Otherwise you are likely to end up putting the wrong files in the wrong places.

And ... follow the instructions CAREFULLY ... Remember, the documentation tells you exactly where to put the files. Don't make any assumptions.
This is an ADMIN patch ... so ALL the files go under your admin directory in their respective folders ... again, the documentation is clear, so use it.

ALERT ALERT ALERT!!!! Many people have mis-read the documentation, and mistakenly applied updates to some NON-Admin files. THIS PATCH *ONLY* deals with admin files. So, when editing/updating, make SURE you ONLY handle files under your admin folder. That includes the html_output.php file too!

REMEMBER (In case it's not self-evident) ... WHEN APPLYING *ANY* PATCHES (or addons or customizations for that matter), ALWAYS DO A *FULL* BACKUP of your database data and your PHP/HTML/CSS/TEMPLATE/IMAGES files by downloading them (via FTP) to your computer and zipping and/or burning to a CD/DVD.



Zen Cart v1.3.X
The security patch will work for all versions in the 1.3.x series.
Simply unzip and upload the included files as per the documentation included in the zip.

Zen Cart v1.2.X
Older releases i.e v1.2.x no longer officially receive technical support.
However, you CAN use ONE file from this patch to help secure your v1.2.x site:
Simply unzip this patch file and copy the /admin/includes/functions/extra_functions/security_patch_v138_20090619.php file to your /admin/includes/functions/extra_functions/ folder.
However we strongly advise anyone using the 1.2.x versions to upgrade to 1.3.8 as soon as possible.

Zen Cart v1.1.X
Patching a v1.1.x site will require manual coding changes. If you require such assistance, post to the "Concerns about Hack Attempts" section of the forum and mention your Zen Cart version in the subject.


Thanks to Ghyslain/BlackH for alerting us to one aspect of this vulnerability.

[DrByte]

IMPORTANT NOTES:

If you have been hacked, you need to:

1. Rename your admin as per documented instructions.
   
2. Apply the security patch above, as per instructions.
   
3. Clean up your site:
   1. remove any extra hacker files that have been added to your server, and fix any that have been altered: http://www.zen-cart.com/wiki/index.p...ing_From_Hacks. This includes checking ALL files/folders on the server. See the Recovering From Hacks document for guidance and tips on expediting that process to make it as quick as possible.
   2. double check ALL your admin settings, including store name, email addresses, payment details, etc.
   3. if you are using any modules/services that have passwords or transaction keys or API credentials or account numbers accessible in your admin area, CHANGE THOSE PASSWORDS/KEYS/CREDENTIALS/ACCOUNTS ASAP
   4. if any orders have been placed, double-check that they are legitimate before shipping (you should always do that anyway)
   5. if you believe that any credit card information has been compromised, you need to notify the affected customers of that situation immediately
      - - if you were using any modules/addons that stored full credit card numbers, then you certainly need to notify those customers
   6. consider changing your MySQL database username/password too.
4. Remember to keep good backups on a regular basis, as they will make recovery faster and easier if anything bad were to happen again in the future.

[DrByte]

This is just an update notification.

http://www.zen-cart.com/forum/showthread.php?t=130161
Updates to the patch announcement above have been made, including clarification of patch-install instructions (esp for older versions), as well as instructions on cleaning up if you've been hacked.

SOME symptoms of being hacked by this vulnerability include:
- undesired text included in order confirmation emails (comes from the Store Name being altered in the admin (Admin->Configuration->My Store)
- email addresses may have been altered in Admin->Configuration->Email Options
- record_companies sidebox enabled unexpectedly
- many .php files added to various folders, including but not limited to the /images/ folder
- file and/or folder permissions changed to 755 even if they were previously set to something lower
- alterations to .htaccess file contents in various folders
- record_companies database table may contain entries with php file names in the images column
- the html files in your html_includes folders have may extra code added to them
- and various other symptoms.

DO A THOROUGH CLEANUP as explained in the posts and links above.


And, while you're in the mood of applying security patches, check on your own patching here: http://www.zen-cart.com/forum/showthread.php?t=131115