PCI Scans - patch to handle low-priority warnings on search screen causing scan fail

[DrByte]

There are some reports of sites failing PCI scans due to an error message that can appear on the search screen if someone attempts to do a SQL injection attack. While the attack fails, an error message appears which, to the purists, discloses the name of the database table and thus gets flagged as a problem. While it's a minor issue and poses no actual direct vulnerability, the PCI scan will fail.

To fix this in Zen Cart v1.3.0 through v1.3.8a, simply do the following:

Create a NEW file, call it: /includes/extra_configures/pci_patch_v13x_search.php
And insert only the following code into that file before saving and uploading to your server:

Code:

<?php
if (isset($_GET['keyword']) && $_GET['keyword'] != '')
{
  $count =  substr_count($_GET['keyword'], '"');
  if ($count == 1)
  {
    if(substr(stripslashes(trim($_GET['keyword'])), 0, 1) == '"')
    {
      $_GET['keyword'] .= '"';
    }
  }
  $_GET['keyword'] = stripslashes($_GET['keyword']);
}

if (isset($_GET['sort']) && strlen($_GET['sort']) > 3) {
  $_GET['sort'] = substr($_GET['sort'], 0, 3);
}

Zen Cart versions 1.2.x and older are reminded that they need to upgrade. This patch will not work for them.




And for those of you who wonder, the closing ?> tag is INTENTIONALLY left off of the above code snippet. See here for why: http://tutorials.zen-cart.com/index.php?article=313

[DrByte]

Another PCI flag could be raised if long strings are used for sort parameters.
Again, while the so-called "attack" attempt will fail, an error message will appear, causing a PCI scan to raise a red flag.

Fixing this matter involves simply using the revised code posted above, as edited today.