Does anyone know about the PCI compliance issue with Zen Cart? Are there any fixes on this issue regarding the "cpath variable error in the root of the page"
Does anyone know about the PCI compliance issue with Zen Cart? Are there any fixes on this issue regarding the "cpath variable error in the root of the page"
Sounds like maybe a problem with an addon you're using?
But, quite frankly, you're talking in a tone that suggests whatever you're referring to is a widespread problem ... where did you get that idea?
And, if it were truly widespread, then it would be discussed significantly here on the forum ... and clearly it isn't.
So ... let's step WAY back and start again ... where did you hear such a rumor? Did you recently fail a scan or something? If so, perhaps it would be way more fruitful for you to post the exact details of such so the matter can be assessed properly. If you heard the allegation someplace else, again you'll need to post exact details and history behind it if you really want a helpful answer.
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
Hello,
Thank you for the reply. Yes, we did fail a scan yesterday and lost our McAfee Scanalert until we get this fixed. The problem seems to be with the following;
Vulnerability MySQL Database Error Disclosure Vulnerability
Port 80/tcp
Scan Date 13-NOV-2009 10:33
Protocol http Port 80 Read Timeout 10000 Method GET Demo
Path /
Query main_page=index
cPath=x%27%3B%22%2C%29%60
sort=20a
filter_id=5
Headers Referer=http%3A%2F%2Fwww.jorsara.com%2Fkitchen-decor%2Fcanisters
Cookie=zenid%3D516f159b9d484c6ae310ab59b79d1a02
Cookie=zenid%3D976e23f891074bfed5677160754687bc
We have installed some of the security patches just recently and will resubmit for re-scan. Hopefully it will solve this issue. However, if you know anything about this matter I would greatly appreciate any suggestions.
Thanks,
Jorsara.
Have you tried turning off your so-called "SEO URL" addon? Clearly that's what's causing your problem:
Using the parameters from the scan report takes you to this URL: http://www.jorsara.com/kitchen-decor...3B%22%2C%29%60
... which produces this error:
1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\';\\\",)`, 'categories', '5b8e771a1dc66f761879ad4f01a7380a_en')' at line 1
in:
[INSERT IGNORE INTO zen_ssu_cache(referring_id, type, file) VALUES(x\\\';\\\",)`, 'categories', '5b8e771a1dc66f761879ad4f01a7380a_en')]
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
We turned off the SSU and have asked for a rescan. I wondered if that was it or not when I saw earlier the part with the zen_ssu_cache, however I didn't think it would affect just the one category but again I am not a programmer. Now if the scan comes back ok I guess I will look for another mod for SEO URL's. Oh the fun never ends. Do you have any suggestions for this kind of mod?
Yes. Don't use one. Google itself has said that they're unnecessary.
Well when we turned off the SSU and got the rescan everything is fine and got the McAfee Secure back so that's what was creating all the problems.
Stevesh, thanks, I've been hearing that Google prefers no rewrites as they can learn more about a site but looking at our URL's I'd wonder how they can determine anything.
Other option would be not to have McAfee Secure as I'm not convinced it is 100% necessary but seeing the results of their scan showing there were glitches in the DB I'm not sure it should be removed either.
The so-called "SEO" modules that re-write URL's are now part of ancient history, and no longer need to be used.
They may actually have a detrimental effect on your site ranking in search engines.
I have never used them, never advocated that my (many) clients use them, and in fact I steer well clear of them.
And many of my clients enjoy prominent positions in SERPS (many in top spot for important keywords).
I have one client who gets position 1, 3,4 and 8 on page one of a google search for a specific (important) key word - and we have never paid the slightest attention to all the SEO nonsense that is endemic on the www.
Just make sure the content is good, relevant, meaningful and comprehensive. Get good sites to reference your url's. Get XMLSitemaps installed and regularly add and edit content to keep it topical.
Avoid these SEO things. They are no longer necessary.
20 years a Zencart User