Results 1 to 8 of 8
  1. #1
    Join Date
    Oct 2009
    Posts
    89
    Plugin Contributions
    0

    Default Cpath error - PCI compliance (bug in SSU addon)

    Does anyone know about the PCI compliance issue with Zen Cart? Are there any fixes on this issue regarding the "cpath variable error in the root of the page"

  2. #2
    Join Date
    Jan 2004
    Posts
    66,446
    Plugin Contributions
    81

    Default Re: Cpath error - PCI compliance

    Sounds like maybe a problem with an addon you're using?

    But, quite frankly, you're talking in a tone that suggests whatever you're referring to is a widespread problem ... where did you get that idea?
    And, if it were truly widespread, then it would be discussed significantly here on the forum ... and clearly it isn't.

    So ... let's step WAY back and start again ... where did you hear such a rumor? Did you recently fail a scan or something? If so, perhaps it would be way more fruitful for you to post the exact details of such so the matter can be assessed properly. If you heard the allegation someplace else, again you'll need to post exact details and history behind it if you really want a helpful answer.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  3. #3
    Join Date
    Oct 2009
    Posts
    89
    Plugin Contributions
    0

    Default Re: Cpath error - PCI compliance

    Hello,

    Thank you for the reply. Yes, we did fail a scan yesterday and lost our McAfee Scanalert until we get this fixed. The problem seems to be with the following;

    Vulnerability MySQL Database Error Disclosure Vulnerability
    Port 80/tcp
    Scan Date 13-NOV-2009 10:33

    Protocol http Port 80 Read Timeout 10000 Method GET Demo
    Path /
    Query main_page=index
    cPath=x%27%3B%22%2C%29%60
    sort=20a
    filter_id=5
    Headers Referer=http%3A%2F%2Fwww.jorsara.com%2Fkitchen-decor%2Fcanisters
    Cookie=zenid%3D516f159b9d484c6ae310ab59b79d1a02
    Cookie=zenid%3D976e23f891074bfed5677160754687bc

    We have installed some of the security patches just recently and will resubmit for re-scan. Hopefully it will solve this issue. However, if you know anything about this matter I would greatly appreciate any suggestions.

    Thanks,
    Jorsara.

  4. #4
    Join Date
    Jan 2004
    Posts
    66,446
    Plugin Contributions
    81

    Default Re: Cpath error - PCI compliance

    Have you tried turning off your so-called "SEO URL" addon? Clearly that's what's causing your problem:
    Using the parameters from the scan report takes you to this URL: http://www.jorsara.com/kitchen-decor...3B%22%2C%29%60
    ... which produces this error:
    1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\';\\\",)`, 'categories', '5b8e771a1dc66f761879ad4f01a7380a_en')' at line 1
    in:
    [INSERT IGNORE INTO zen_ssu_cache(referring_id, type, file) VALUES(x\\\';\\\",)`, 'categories', '5b8e771a1dc66f761879ad4f01a7380a_en')]
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  5. #5
    Join Date
    Oct 2009
    Posts
    89
    Plugin Contributions
    0

    Default Re: Cpath error - PCI compliance (bug in SSU addon?)

    We turned off the SSU and have asked for a rescan. I wondered if that was it or not when I saw earlier the part with the zen_ssu_cache, however I didn't think it would affect just the one category but again I am not a programmer. Now if the scan comes back ok I guess I will look for another mod for SEO URL's. Oh the fun never ends. Do you have any suggestions for this kind of mod?

  6. #6
    Join Date
    Feb 2005
    Location
    Lansing, Michigan USA
    Posts
    20,021
    Plugin Contributions
    3

    Default Re: Cpath error - PCI compliance (bug in SSU addon?)

    Yes. Don't use one. Google itself has said that they're unnecessary.

  7. #7
    Join Date
    Oct 2009
    Posts
    89
    Plugin Contributions
    0

    Default Re: Cpath error - PCI compliance (bug in SSU addon?)

    Well when we turned off the SSU and got the rescan everything is fine and got the McAfee Secure back so that's what was creating all the problems.

    Stevesh, thanks, I've been hearing that Google prefers no rewrites as they can learn more about a site but looking at our URL's I'd wonder how they can determine anything.

    Other option would be not to have McAfee Secure as I'm not convinced it is 100% necessary but seeing the results of their scan showing there were glitches in the DB I'm not sure it should be removed either.

  8. #8
    Join Date
    Jun 2005
    Location
    Cumbria, UK
    Posts
    10,267
    Plugin Contributions
    3

    Default Re: Cpath error - PCI compliance (bug in SSU addon?)

    The so-called "SEO" modules that re-write URL's are now part of ancient history, and no longer need to be used.

    They may actually have a detrimental effect on your site ranking in search engines.

    I have never used them, never advocated that my (many) clients use them, and in fact I steer well clear of them.

    And many of my clients enjoy prominent positions in SERPS (many in top spot for important keywords).

    I have one client who gets position 1, 3,4 and 8 on page one of a google search for a specific (important) key word - and we have never paid the slightest attention to all the SEO nonsense that is endemic on the www.

    Just make sure the content is good, relevant, meaningful and comprehensive. Get good sites to reference your url's. Get XMLSitemaps installed and regularly add and edit content to keep it topical.

    Avoid these SEO things. They are no longer necessary.
    20 years a Zencart User

 

 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg