UPDATE TO Security Alert: SQL Injection Risk
On Aug 31 we posted an alert regarding an SQL Injection Vulnerability
Further code review has revealed that the proposed code fix was incomplete.
Also, the "fix" recommended previously was somewhat complicated to implement due to the need to edit PHP files in a few places.
As such, the following fix is recommended.
ALL v1.2.x and v1.3.x STORES SHOULD INSTALL THIS SIMPLE PATCH:
a) Download and unzip the attached file (shown in the next post, below).
b) Use your FTP program to upload the file to your /includes/extra_configures/ folder
That's all.
- This one fix applies to both v1.2.x and v1.3.x
- If you've already applied the Aug 31 patch updates, you need to make an edit to them, as documented in the next post below ... and you should still install the patch file.
- If you haven't installed the Aug 31 update, you don't need to: just install the patch file below instead.
Thanks to Yuki Shida at zen-cart.jp for assistance in this discovery.
Bookmarks