Welcome to Zen Cart®
Dear Zen Cart® User
Zen Cart® is made available to you for your use, addition, changes, modification, etc. without charge, under Version 2 of the GNU General Public License.
While we do not charge for this software, donations are greatly appreciated, each time you install a new version, to help cover the expenses of maintenance, upgrades, updates, the free support forum and the continued development of this software for your online E-Commerce store.
Donations can be made on the Zen Cart® Team Page
We appreciate your support.
The Zen Cart® Team
Zen Cart® Requirements
Zen Cart® v1.5.0 requires a minimum of the following:
- PHP 5.2.14 or higher
- MySQL 4.1.3 or higher
- Apache 2.0 or higher.
- Apache configured with AllowOverride set to either 'All' or at least both 'Limit' and 'Indexes' parameters, and preferably the 'Options' parameter as well.
- PHP configured to support CURL with OpenSSL
While Zen Cart® can run on Windows/IIS servers, Linux/Apache servers are recommended for best results, superior performance, and easier use by shopowners.
Whats New ... Changes from v1.3.9 to v1.5.0
Improvements and Bugfixes Included Since v1.3.9
CHANGE-12 - Numerous system changes to support PA-DSS compliance certification
- Admin passwords now expire every 90 days, as per PA-DSS specification
- Admin passwords now require a combination of letters and numbers, as well as uniqueness (cannot re-use passwords previously used )
- Admin passwords can have a configurable length, but no less than 7 characters
- Admin passwords also expire, for security reasons, when changing admin configuration from non-SSL mode to SSL mode.
- Admin Profiles - is now built-in, with a significant number of additional features, and simpler to use.
- Add basic admin Activity Log Viewer/Exporter tool
- HTMLarea editor removed from core due to obsolescence. Use preferred plugin instead if similar functionality is required.
- FCKeditor components removed from core due to obsolescence. CKEditor is the replacement editor by the same author. Switch to the new plugin if desiring to use this editor.
- USPS module removed from core in favor of being an addon, due to the volatility of frequent changes made by USPS. The addon is available in the Free Addons section of the Zen Cart website.
- CHANGE-12 - PA-DSS - prevent payment modules from ever storing more than 10 characters of sanitized CC numbers
- CHANGE-12 - PA-DSS - prevent built-in "gateway" payment modules from functioning if the site is not protected by SSL
- CHANGE-12 - PA-DSS - add admin detection of SSL mode change and auto-expire all passwords if SSL mode is enabled either with ENABLE_SSL_ADMIN or using an https address for HTTP_SERVER
- CHANGE-12 - PA-DSS - add two-factor authentication hook in admin login
- zc_install now treats supplied initial admin password (during install) as temporary ... requiring the admin user to select a new password at first login. This is to prevent abuse from password sniffing.
- Incorporate TZ (timezone) support, with ability to override/disable simply by defining a DISABLE_MYSQL_TZ_SET constant. c/f https://www.zen-cart.com/forum/showthread.php?t=174346
- PADSS-30 - Admin SSL now enabled by default in configure.php file if Enable-SSL is selected during zc_install
- BUGSFORUM-1774 - Add 'secure' flag support for session cookie when site is running entirely in SSL
- BUGSFORUM-1081 - Fixed: no default set for shipping radio buttons if module is disabled after previously selecting a shipping method
- BUGSFORUM-1347 - Remove file-based session handling support due to security concerns and chicken/egg situation caused by garbage collection processes.
- BUGSFORUM-1497 - Admin order totals section of orders.php page ignored currency-formatting display rules in some cases
- BUGSFORUM-1550 - Fix occasional problem with "duplicate entry" in sessions table caused by some servers using longer session ID keys
- BUGSFORUM-1558 - typefilter incorrect lookup problem in case of (unlikely) file-not-found scenario
- BUGSFORUM-1554 - Shopping Cart Problems when updating product quantities for products with Max limit set
- BUGSFORUM-1564 - orders_status wrongly set to 0 in rare cases
- BUGSFORUM-1584 - no_picture.gif could be accidentally deleted if specified as an actual product image
- BUGSFORUM-1589 - Fixed problem with some downloadable orders where an update of an order might set the number of days to a wrong value
- CHANGE-151: Fix rounding and tax calculation issues in Cart/Order Class
- CHANGE-90 - SECURITY: Fix Local File Inclusion Vulnerability
- Whos_online - several improvements to allow the option to exclude spiders and/or admin IP's from the list of displayed results
- Improvement: Developers Toolkit can now optionally search .js files too.
- CHANGE-136 on new installs, DB_CHARSET now defaults to UTF8, not latin1
- CHANGE-137 Removal(deactivation) of CDE payment modules when SSL disabled
- BUGSFORUM-1592 - Fix rounding problems affecting coupon min-purchase eligibility calculations
- CHANGE-70 - zc_install now checks whether .htaccess rules will work, and provides an alert if there's a problem.
- BUGSFORUM-XXXX - PayPal improvements - allows Transaction ID to show on admin order confirmation emails for WPS, just like other payment modules do
- BUGSFORUM-XXXX - PayPal - partial fix for bug where currency code not specified during partial refunds causes request to fail
- BUGSFORUM-XXXX - PayPal - fixed bug where debug logging might happen even if switched off (caused by broader server-config issues)
- BUGSFORUM-XXXX - PayPal - fix bug in Express Checkout where a shipping-override would still send a shipping phone number, causing a 10001 error without explanation.
- BUGSFORUM-XXXX - PayPal - fix bug where EC button was removed from login page but left PayPal text prompts, resulting in confusion.
- BUGSFORUM-XXXX - PayPal - Change to VPS-Timeout-90 instead of 45 at PayPal's request. This means customers might have to wait longer for transactions to complete, but will reduce timeout errors when PayPal's systems are slow.
- BUGSFORUM-XXXX - PayPal - include product ID number on line-item details since is needed for order fulfillment
- BUGSFORUM-1673 - PayPal - Fix minor html table syntax bug in paypal history details on admin orders screen
- BUGSFORUM-1754 - PayPal - fix various rounding problems in all modules
- BUGSFORUM-1760 - PayPal - Fix problems with Hungarian Forint and other 0-decimal currencies
- BUGSFORUM-1926 - PayPal - Fix problem with attributes -- if a product had attributes, the product name was being replaced with attribute details, instead of being appended to
- BUGSFORUM-1971 - PayPal - Trap cases where PayPal returns a blank address unexpectedly, and ask them to supply address details by creating an account
- BUGSFORUM-1971 - PayPal - Minimize address matching issues which arise when storeowners rename their countries to non-ISO standard names (something they should not do)
- BUGSFORUM-1892 - PayPal Express: Item details were shown as "Tax included in prices: 0 (0)"
- BUGSFORUM-1959 - PayPal IPN and Express Checkout Missing free Items, or listing free items without description
- BUGSFORUM-2024 - PayPal IPN - address-override alert might insert duplicate update notices in order status history
- BUGSFORUM-2151 - Paypal - Error 10413 when redeeming Gift Certificates for amount greater than product-subtotal
- CHANGE-164 - paypal logging not properly disabling consistently
- BUGSFORUM-1613 - Media Manager Assign to Products wouldn't allow assigning of new products due to security change in 1.3.9h
- Fix to admin customer search: search for new customers by customers_email_address to get correct customer and not everyone named Smith
- Fixed display bug with category icons generating link to cPath=0 if cPath not set
- Fix the display of Discount Coupons when a redemption code is applied so it is more readable by the customer
- Fix Add to Cart to stay on listing when set to not display cart
- Fixed coupon admin screen to land on correct page after adding new coupon
- Various Admin pages: Fix pagination problems when changing status, searching, etc.
- Improvement: Shorten CPU cycles on double-parsing an array needlessly in Authorize.net modules. Also improved sanitized debug output.
- BUGSFORUM-1645 - Adding Featured Products ERROR Warning Warning: Product ID already on Special
- Admin products-to-categories copier: Add additional message for clarity when Copy to categories_id is invalid but allow for obscure usage
- Fixed bug on Order History going to page not found when set to not display cart
- Fix: restore shopping cart products in the order they were added
- BUGSFORUM-1662 - Gift Certificates Will Not Release
- Fixed Error message when restricting coupons
- Fixed hard-coded table names which should have been using constants, to allow for prefixes properly.
- Fix problems with the word "search" in spiders.txt
- Admin orders page now passes unformatted value back for availability to customizations which want to redisplay the values differently.
- BUGSFORUM-1696 - clear COUPON_GV_QUEUE when deleting an order
- BUGSFORUM-1681 - fix links in GV mails
- BUGSFORUM-1689 - email validation regex improvements
- BUGSFORUM-1634 - Bugfix: Prevent loading of non-PHP files in some admin autoloading routines
- BUGSFORUM-1650 - sanitize whosonline output
- Downloads - improvements and addition of support for IE9
- BUGSFORUM-1708 - Combine class methods to reduce chance of race conditions and add error suppression to filemtime
- Fix potential GZIP error if server configuration is overly generic
- CHANGE-74 Sanitization
- VARIOUS changes made to admin/catalog page forms to protect against CSRF using security token
- VARIOUS changes for date fields to be handled consistently and to remove some pre-quoting which was breaking bindVars
- CHANGE-102 Fix broken error checking in SQLPatch tool
- CHANGE-128 obscure sql injection fix
- CHANGE-135 add default value to zen_draw_pull_down_menu call to stop the value being drawn from the GLOBALS array and tested as a string.
- CHANGE-138 Set CURL Proxy Status to FALSE by default, and remove from display since it's now deprecated
- CHANGE-139 fix sprintf() error when generating an outgoing email notification caused by language file refinement
- CHANGE-142 fix tax calculation
- CHANGE-143 fix sidebox query to ensure a correct limit statement is built, if necessary
- CHANGE-143 catch SQL errors and output generic message to user and write message to log instead
- CHANGE-144 XSS mitigation for admin forms -- adds logging for inputs flagged as "rogue" by blacklist algorithm.
- CHANGE-145+146 Blank values for various Maximum Values settings causes PHP errors
- CHANGE-147 zc_install was throwing warning for MySQL versions over 5.2
- BUGSFORUM-1709 Fix extraneous products_id in url
- BUGSFORUM-1783 Fix Virtual Product defaults for all core Product Types
- BUGSFORUM-1798 Preview icon was linked directly to product-general type. Now linked to the product type handler, allowing correct language defines to be loaded when previewing a product via this icon.
- BUGSFORUM-1862 status filter not retaining state, restrict to first char for safety
- BUGSFORUM-1754 change to calculate price/tax on zen_round(zen_add_tax(price,rate)*quantity, decimals)
- BUGSFORUM-1696 SQL error due to non-matching field name
- BUGSFORUM-1907 Fix ambiguous description on admin search switch
- BUGSFORUM-1905 Adjust schema to handle ipv6 addresses
- BUGSFORUM-1949 various ISO country updates
- BUGSFORUM-1973 Downloads might deliver an empty file if readfile() is disabled in PHP and symlink support is off
- BUGSFORUM-2046 HTML Entities not retained while editing via admin
- CHANGE-159 - Remove Welcome-Email Preview from admin
- BUGSFORUM-2038 Invalid email address formatting can cause ugly failure message without explanation
- CHANGE-168 - Fix tax calculations for not-logged-in users, by defaulting to default country/zone just like it does for product listings
- .htaccess - add safety around apache directives to prevent errors with poorly configured servers
- Fix bug in properly detecting SSL mode with zen_redirect calls
- Addressed SSL logoff scenario specific to shared SSL on shared hosting.
- Fix email error handling - was only setting error info if the message succeeded, thus always blank.
- Fix broken markup in admin layout-controller
- add extra line-break before "spam" disclaimer in email footers
- Disable language/currency sideboxes by default, to minimize some confusion
- Fix some collation errors encountered during upgrades
- CHANGE-160 - Various changes for basic compatibility with the proposed PHP 5.4 specifications
- CHANGE-175 - Fix Maximum limit to manage merge of cart on login
- CHANGE-176 - Fix Text Required to allow for 0 to work as Required Text content
- BUGSFORUM-2121 - zc_install - fixed broken link for help with disabling session.use_trans_sid in help text
- Simplified the admin-directory-rename process: New installs now only require renaming the folder. No more special configure.php file edits!
- CHANGE-186 - Removed Tell A Friend feature
- BUGSFORUM-2138 - stripslash keyword in first parsing of search keywords, to protect against broken sql resulting in blank page
- BUGSFORUM-2140 - fix problem with metatag deletion where multiple languages exist
- BUGSFORUM-2150 - PHP Warning: strlen() expects parameter 1 to be string
- BUGSFORUM-2175 - fix XSS issue reported by intermittent PCI scans
- CHANGE-190 - fix constants from discount coupon to gv
- And all the security fixes and bugfixes from prior versions
CHANGELOG - List of Changed Files
For a list of files that have been changed since v1.3.9h, see the changed_files-v1-5-0.html
How to Upgrade
Please follow the instructions in the "how to upgrade" documentation in the /docs folder of the Zen Cart® files.
Upgrading Addons or Custom Code
If you are attempting to upgrade custom code or addons written for prior versions, you may find this tutorial article helpful: http://tutorials.zen-cart.com/index.php?article=410
A Word About UTF-8 vs iso-8859-1
Please see this online article for guidance on upgrading old sites from iso-8859-1 to utf8
Server Configuration Requirement
For added security, Zen Cart® comes with several .htaccess files already included in various folders to help provide protection against unwanted visitors and even against misuse of your site in the unfortunate situation of your site being hacked. These protections prevent hackers from using your site as phishing sources.
However, for these built-in protections to work, your web hosting server administrator MUST set the AllowOverride directive in the server's apache configuration (the server's master httpd.conf file) to "All" or at least ensure it includes these parameters: 'Limit Indexes'.
ie: AllowOverride All
or: AllowOverride Limit Indexes
(NOTE: You must also add "Options" if uncommenting OPTIONS directives in your .htaccess files)
Without these settings, you will likely encounter "500 Internal Server Error" messages when attempting to access various parts of your site, including perhaps the zc_install installer script.
Storeowners hosting on Windows Servers using IIS instead of Apache may need to remove the .htaccess files and rework them into suitable equivalents within your IIS configuration. See Microsoft's IIS website for specific assistance.
Special Note About ".htaccess" Files
Inside some folders is an .htaccess file that lists certain *permitted* filetypes which may be accessed. (Anything else is blocked to prevent abuse on your site).
The side effect of this is that if you choose to use media types that are not already listed in the *permitted* list, then your visitors will not be able to see those resources.
Thus, if you are using product images that are not in the list of permitted types in your /images/.htaccess, you will need to add those types to the list.
Similarly, if you are using certain media types in music product previews, you will need to make sure those are in your /media/.htaccess.
And, if you are using filetypes for downloadable products that are not already listed in your /pub/.htaccess and /download/.htaccess you will need to add those as well.