XSS Vulnerability in v1.3.7
We have been informed of a XSS vulnerability in Zen Cart 1.3.7 (and prior versions).
The vulnerability only affects those people using the special TEXT input attribute on their products.
The problem arises due to insufficient cleansing of outputs.
NOTE: we have fixed the vulnerability by specifically targeting output functions where the TEXT attribute is displayed, in both catalog and admin. This is how we have addressed possible and actual XSS vulnerabilities in the past.
We have not used global cleansing of all $_POST variables, as this may limit the functionality of various intrinsic Zen Cart operations.
A patch fix for v1.3.7 will be posted within the hour.
Re: XSS Vulnerability in v1.3.7
FILES AFFECTED
==============
The files affected are:
/readme.txt (this file should not be uploaded to your site. All the rest should)
/admin/orders.php
/admin/packingslip.php
/admin/invoice.php
/includes/modules/pages/shopping_cart/header_php.php
/includes/templates/template_default/templates/tpl_account_history_info_default.php
/includes/templates/template_default/templates/tpl_checkout_confirmation_default.php
INSTALLATION for v1.3.7 sites:
====================
1. Download the patch from SourceForge here.
2. Upload the patched files to replace the existing files of the same name/folder.
Remember, if you have renamed your admin folder, you will have to use *that*
folder name when copying/uploading the /admin/ folder files.
Further, if you have customized copies of the enclosed template files, you
should manually apply the changes from these files into your customized files.
Using WinMerge as a file-comparison tool will help you quickly identify your
customizations and help you merge the changes easily.
INSTALLATION for sites OLDER THAN v1.3.7:
=============================
If you need to apply these fixes to an older version of Zen Cart, do NOT use the patched zip file. Instead, this can be accomplished by manual edits -- replacing this:
Code:
$order->products[$i]['attributes'][$j]['value']
with this:
Code:
zen_output_string_protected($order->products[$i]['attributes'][$j]['value'])
... in the affected files.
Depending on which version you have, you'll find a need to change either line #118 of template_default/templates/tpl_shopping_cart_default.php
Code:
$products[$i][$option]['products_options_values_name'] = $attr_value ;
becomes:
Code:
$products[$i][$option]['products_options_values_name'] = zen_output_string_protected($attr_value);
or modules/pages/shopping_cart/header_php.php, like this:
Code:
$attrArray[$option]['products_options_values_name'] = $attr_value
becomes:
Code:
$attrArray[$option]['products_options_values_name'] = zen_output_string_protected($attr_value)