Zero-Day XSS Security Fix (applies to all versions)

wilt · 7th October 2006, 12:31 AM

We recently released a security patch to address an XSS vulnerability with the admin login page. Zen Cart takes security very seriously, and in addition to responding to published security alerts as quickly as possible, we also try where we can to preempt those people that attempt to use published vulnerabilities to craft new hacks.

As such, and after a review of Admin code, and on a zero-day basis we are releasing a patch to admin code that addresses (so far unpublished) possible XSS vulnerabilities in Zen Cart.

The patch instructions are shown below.
A zip of this changed file will be posted on SourceForge shortly.

v1.3.6 and newer ... already has these fixes built-in.
v1.3.5 -- this patch has been added to the list of released files here:
http://sourceforge.net/project/showf...ease_id=444622

For older releases:
For v1.3.0.x the fixes are the same for each:
V1.3.0.2 http://sourceforge.net/project/showf...ease_id=426669
V1.3.0.1 http://sourceforge.net/project/showf...ease_id=412075
V1.3.0.0 http://sourceforge.net/project/showf...ease_id=405704

For v1.2.x the fixes are the same for each 1.2.x edition:
V1.2.7 http://sourceforge.net/project/showf...ease_id=392886
V1.2.6 http://sourceforge.net/project/showf...ease_id=350699

Older v1.2.x releases: http://sourceforge.net/project/showf...kage_id=125709

For versions prior to v1.2.4 -- please upgrade or apply the patches manually by merging changed files from a newer release.

================================
Today's XSS fix announcement can be implemented manually as follows:

V1.3.x
At the bottom of /admin/includes/init_includes/init_general_funcs.php
add the following code before the closing ?>

Code:

//-----------------
    if (isset($_GET) & sizeof($_GET) > 0 ) {
      foreach ($_GET as $key=>$value) {
        $_GET[$key] = strip_tags($value);
      }
    }
//-----------------

V1.2.x
Create a new file:
/admin/includes/functions/extra_functions/sanitize_against_xss.php
Containing the following code:

Code:

<?php
/**
 * @package admin
 * @copyright Copyright 2003-2006 Zen Cart Development Team
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: sanitize_against_xss.php 4682 2006-10-06 20:52:56Z wilt $
 */
    if (isset($_GET) & sizeof($_GET) > 0 ) {
      foreach ($_GET as $key=>$value) {
        $_GET[$key] = strip_tags($value);
      }
    }
?>

(Be sure not to have any blank lines after the closing ?> )

wilt · 7th October 2006, 12:38 AM

Just wanted to say thanks to drbyte for putting the patch file together, and for helping in phrasing this release

7th October 2006, 12:31 AM	#1
wilt Oji-san Join Date: Jun 2003 Location: Newcastle UK Posts: 2,527	Zero-Day XSS Security Fix (applies to all versions) We recently released a security patch to address an XSS vulnerability with the admin login page. Zen Cart takes security very seriously, and in addition to responding to published security alerts as quickly as possible, we also try where we can to preempt those people that attempt to use published vulnerabilities to craft new hacks. As such, and after a review of Admin code, and on a zero-day basis we are releasing a patch to admin code that addresses (so far unpublished) possible XSS vulnerabilities in Zen Cart. The patch instructions are shown below. A zip of this changed file will be posted on SourceForge shortly. v1.3.6 and newer ... already has these fixes built-in. v1.3.5 -- this patch has been added to the list of released files here: http://sourceforge.net/project/showf...ease_id=444622 For older releases: For v1.3.0.x the fixes are the same for each: V1.3.0.2 http://sourceforge.net/project/showf...ease_id=426669 V1.3.0.1 http://sourceforge.net/project/showf...ease_id=412075 V1.3.0.0 http://sourceforge.net/project/showf...ease_id=405704 For v1.2.x the fixes are the same for each 1.2.x edition: V1.2.7 http://sourceforge.net/project/showf...ease_id=392886 V1.2.6 http://sourceforge.net/project/showf...ease_id=350699 Older v1.2.x releases: http://sourceforge.net/project/showf...kage_id=125709 For versions prior to v1.2.4 -- please upgrade or apply the patches manually by merging changed files from a newer release. ================================ Today's XSS fix announcement can be implemented manually as follows: V1.3.x At the bottom of /admin/includes/init_includes/init_general_funcs.php add the following code before the closing ?> Code: //----------------- if (isset($_GET) & sizeof($_GET) > 0 ) { foreach ($_GET as $key=>$value) { $_GET[$key] = strip_tags($value); } } //----------------- V1.2.x Create a new file: /admin/includes/functions/extra_functions/sanitize_against_xss.php Containing the following code: Code: <?php /** * @package admin * @copyright Copyright 2003-2006 Zen Cart Development Team * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0 * @version $Id: sanitize_against_xss.php 4682 2006-10-06 20:52:56Z wilt $ */ if (isset($_GET) & sizeof($_GET) > 0 ) { foreach ($_GET as $key=>$value) { $_GET[$key] = strip_tags($value); } } ?> (Be sure not to have any blank lines after the closing ?> )

7th October 2006, 12:38 AM	#2
wilt Oji-san Join Date: Jun 2003 Location: Newcastle UK Posts: 2,527	Re: v1.3.5 zero-day security fix Just wanted to say thanks to drbyte for putting the patch file together, and for helping in phrasing this release

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
New security update - trying to fix	BryanKollar	Basic Configuration	14	21st August 2006 06:55 PM
Regarding Security Fix	digidiva-kathy	General Questions	9	18th August 2006 03:33 PM