Results 1 to 3 of 3
  1. #1
    Join Date
    Jan 2004
    Posts
    60,443
    Blog Entries
    4
    Plugin Contributions
    51

    Default Security Alert: SQL Injection Protection 2008-09-19

    UPDATE TO Security Alert: SQL Injection Risk

    On Aug 31 we posted an alert regarding an SQL Injection Vulnerability

    Further code review has revealed that the proposed code fix was incomplete.
    Also, the "fix" recommended previously was somewhat complicated to implement due to the need to edit PHP files in a few places.

    As such, the following fix is recommended.

    ALL v1.2.x and v1.3.x STORES SHOULD INSTALL THIS SIMPLE PATCH:

    a) Download and unzip the attached file (shown in the next post, below).
    b) Use your FTP program to upload the file to your /includes/extra_configures/ folder

    That's all.

    • This one fix applies to both v1.2.x and v1.3.x
    • If you've already applied the Aug 31 patch updates, you need to make an edit to them, as documented in the next post below ... and you should still install the patch file.
    • If you haven't installed the Aug 31 update, you don't need to: just install the patch file below instead.



    Thanks to Yuki Shida at zen-cart.jp for assistance in this discovery.
    Last edited by DrByte; 23 Sep 2008 at 08:33 PM. Reason: removed incorrect patch file ... use the one from the next post instead
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donations always welcome: www.zen-cart.com/donate

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.



  2. #2
    Join Date
    Jan 2004
    Posts
    60,443
    Blog Entries
    4
    Plugin Contributions
    51

    Default Re: Security Alert: SQL Injection Protection 2008-09-19

    UPDATE:

    Apparently the fixes from Aug 31 and Sept 19 (above) were a little over-enthusiastic , and can break functionality in two specific cases:
    a) if you have checkbox-style attributes assigned to your products, they can't be added to your cart
    b) if you have your store set to use fractional product quantities, the quantity was being handled wrong because it was disallowing the decimal point.

    Thus, two adjustments are needed:

    1. ** EVERYONE SHOULD DO THIS ** The attached patch file is an update to (and yes, is the *same* filename), and should replace, the one originally issued on Sept 19. After unzipping, it should be uploaded to /includes/extra_configures/
    If you have not already uploaded this patch, you should do it now, using the attached file.

    2. ** SOME SITES SHOULD DO THIS **
    * If you have NOT already made the Aug 31 edits, you can ignore them and just use the attached patch file, installing it as described in the post above.

    * If you *HAVE* already made the Aug 31 edits to /includes/classes/shopping_cart.php and you are using v1.3.x, you NEED to fix it as shown below:
    Specifically, you will need to change the last line you edited, and add a "." inside the square brackets as shown:
    Change from this:
    Code:
              $prodId = ereg_replace('[^0-9a-f:]', '', $key);
    to this:
    Code:
              $prodId = ereg_replace('[^0-9a-f:.]', '', $key);


    NOTE: These changes are not compatible with PHP 5.3. If using PHP 5.3, apply the PHP 5.3 patch AFTER making these changes.
    Attached Files Attached Files
    Last edited by DrByte; 24 Sep 2008 at 02:20 AM. Reason: corrected name of file: /includes/classes/shopping_cart.php
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donations always welcome: www.zen-cart.com/donate

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.



  3. #3
    Join Date
    Jan 2004
    Posts
    60,443
    Blog Entries
    4
    Plugin Contributions
    51

    Default Re: Security Alert: SQL Injection Protection 2008-09-19

    And ... for everyone who wonders ...

    The "missing" ?> tag at the end of the file is intentional. See this related FAQ: http://tutorials.zen-cart.com/index.php?article=313
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donations always welcome: www.zen-cart.com/donate

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.



 

 

Similar Threads

  1. Security Alert: SQL Injection Risk Aug 31
    By DrByte in forum Zen Cart Release Announcements
    Replies: 1
    Last Post: 20 Sep 2008, 04:53 AM
  2. v1.3.5 Security Alert
    By wilt in forum Zen Cart Release Announcements
    Replies: 1
    Last Post: 2 Oct 2006, 05:51 AM
  3. Security Alert email
    By sparktronic in forum General Questions
    Replies: 3
    Last Post: 18 Aug 2006, 01:39 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •