Results 1 to 2 of 2
  1. #1
    Join Date
    Jun 2003
    Newcastle UK
    Blog Entries
    Plugin Contributions

    Default XSS Vulnerability in v1.3.7

    We have been informed of a XSS vulnerability in Zen Cart 1.3.7 (and prior versions).

    The vulnerability only affects those people using the special TEXT input attribute on their products.

    The problem arises due to insufficient cleansing of outputs.

    NOTE: we have fixed the vulnerability by specifically targeting output functions where the TEXT attribute is displayed, in both catalog and admin. This is how we have addressed possible and actual XSS vulnerabilities in the past.
    We have not used global cleansing of all $_POST variables, as this may limit the functionality of various intrinsic Zen Cart operations.

    A patch fix for v1.3.7 will be posted within the hour.

  2. #2
    Join Date
    Jan 2004
    Blog Entries
    Plugin Contributions

    Default Re: XSS Vulnerability in v1.3.7

    The files affected are:
    /readme.txt (this file should not be uploaded to your site. All the rest should)

    INSTALLATION for v1.3.7 sites:
    1. Download the patch from SourceForge here.
    2. Upload the patched files to replace the existing files of the same name/folder.

    Remember, if you have renamed your admin folder, you will have to use *that*
    folder name when copying/uploading the /admin/ folder files.

    Further, if you have customized copies of the enclosed template files, you
    should manually apply the changes from these files into your customized files.
    Using WinMerge as a file-comparison tool will help you quickly identify your
    customizations and help you merge the changes easily.

    INSTALLATION for sites OLDER THAN v1.3.7:
    If you need to apply these fixes to an older version of Zen Cart, do NOT use the patched zip file. Instead, this can be accomplished by manual edits -- replacing this:

    with this:
    ... in the affected files.

    Depending on which version you have, you'll find a need to change either line #118 of template_default/templates/tpl_shopping_cart_default.php
    $products[$i][$option]['products_options_values_name'] = $attr_value ;
    $products[$i][$option]['products_options_values_name'] = zen_output_string_protected($attr_value);
    or modules/pages/shopping_cart/header_php.php, like this:
    $attrArray[$option]['products_options_values_name'] = $attr_value
    $attrArray[$option]['products_options_values_name'] = zen_output_string_protected($attr_value)

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.



Similar Threads

  1. XSS Vulnerability Patch - for which version?
    By Peekay in forum General Questions
    Replies: 3
    Last Post: 9 Jul 2007, 03:58 AM


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
Zen-Cart, Internet Selling Services, Klamath Falls, OR