SecurityMetrics are still finding vulnerabilities within PHP scripts on my server

**Dunk** · 9 May 2011, 12:51 PM

Had a quick search of the forums and was surprised I couldn't find too much detail relating to this.

We've been battling the issue of PCI compliance on and off for about 2 years (as covered here). Ultimately we're still not compliant.

I'm not sure how strongly enforced PCI compliance is in other territories but we're UK based and have been receiving monthly fines for non compliance for well over a year.
Our bank is now doubling the monthly non-compliance fine.
To try and resolve the problem we've migrated to a private server in recent weeks which has certainly helped but SecurityMetrics are still finding vulnerabilities within PHP scripts on the server, i.e. client side issues with Zen Cart.

I'm aware that the next big release of Zen Cart is supposed to address PCI compliance, but does anyone have any experience of making their current Zen Cart store compliant or perhaps can recommend someone we can ask for help?

We've reached the point where we're seriously considering switching to an entirely new ecommerce platform to achieve compliance.

**kobra** · 9 May 2011, 02:38 PM

Try completing the details as outlined in the posting FAQ's

http://www.zen-cart.com/forum/faq.php

Also what specific "vulnerabilities" are being referenced?
Are these due to php version?
If so, no script will be compliant

**Dunk** · 9 May 2011, 03:31 PM

No they're not due to PHP version.

Vulnerabilities highlighted are script issues.

Vulnerabilities such as
Script allows response splitting (Phorum)
Script allows response splitting (Surveys)
Script allows response splitting (W-Agora)
Script allows response splitting (webcalendar)
The remote web server contains a PHP script that is prone to an information disclosure attack.

We're running 1.3.9h, PHP 5.2.17, MySQL 5.0.92-community, hosted on a virtual private server

**stevesh** · 9 May 2011, 03:47 PM

I'm no expert, but it looks to me that those issues have nothing to do with Zencart. Do you have those scripts installed ?

**Dunk** · 9 May 2011, 03:53 PM

Thanks for that, I think I know where to start looking.

I'm not familiar with the scripts but it's most likely that some of the custom mods that we've had developed are the root of the problem.

**kobra** · 9 May 2011, 09:34 PM

Ditto stevesh

Those processes are not ZenCart processes TMK

**ksl1** · 12 May 2011, 12:11 PM

W-Agora is web publishing and forum script,
Phorum is PHP opensource. You are having compliance problems! None of those scripts are Zencarts

Thread: SecurityMetrics are still finding vulnerabilities within PHP scripts on my server

Thread Tools

Search Thread

Display

SecurityMetrics are still finding vulnerabilities within PHP scripts on my server

Re: Achieving PCI compliance with Zen Cart 1.3.x

Re: Achieving PCI compliance with Zen Cart 1.3.x

Re: Achieving PCI compliance with Zen Cart 1.3.x

Re: Achieving PCI compliance with Zen Cart 1.3.x

Re: SecurityMetrics are still finding vulnerabilities within PHP scripts on the serve

Re: SecurityMetrics are still finding vulnerabilities within PHP scripts on my server

Similar Threads

Any current vulnerabilities in sqlpatch.php ?

SecurityMetrics PCI compliance fail: /password_forgotten.php

php scripts?

New server finding the sql server name

Bookmarks

Bookmarks

Posting Permissions