XSS protection patch - Nov 30 2009

[DrByte]

While XSS or CSRF attacks are difficult to trigger and may not manifest very often, it is still important to protect against the ill effects which could be caused by them.

As such, the following XSS patches are advised in order to protect yourself from a recently-reported vulnerability:

The following edits should be made to the respective files.
THESE UPDATES APPLY TO ALL VERSIONS OF ZEN CART UP TO (& including)v1.3.8a (although line numbers may vary)

NOTE: These updates should be made EVEN if you've renamed your admin folder. (Merely renaming your admin folder will NOT protect you from XSS issues.)

/admin/index.php
Add the new lines shown, around approx line 135:

Code:

  while (!$customers->EOF) {
	    $customers->fields['customers_firstname'] = zen_output_string_protected($customers->fields['customers_firstname']);
	    $customers->fields['customers_lastname'] = zen_output_string_protected($customers->fields['customers_lastname']);
    echo '              <div class="row"><span class="left"><a href="' . zen_href_link(FILENAME_CUSTOMERS ....(code snipped here for brevity)........

/admin/customers.php
Add the new line shown, around approx line 1173:

Code:

    default:
      if (isset($cInfo) && is_object($cInfo)) {
        if (isset($_GET['search'])) $_GET['search'] = zen_output_string_protected($_GET['search']);
        $customers_orders = $db->Execute("select o.orders_id, o.date_purchased, o.order_total, o.currency, o.currency_value,

/admin/sqlpatch.php (ONLY relevant for v1.3.5 to (including) v1.3.8a)
Add the "(bool)" as shown here on line 808:

Code:

<?php if (isset($_GET['nogrants'])) echo '<input type="hidden" id="nogrants" name="nogrants" value="'.(bool)$_GET['nogrants'].'" />'; ?>

Thanks to Pedro Joaquín at webvuln for the alert.