Hello community!
We are in the process of upgrading to zen cart v1.5.0 from 1.3.9h.
Since our upgrade will take some time due to extensive customization done to the cart and due to the fact we are currently failing our PCI scan due to two vulnerability issues I went ahead and wrote a small patch for v1.3.9h to try to make us compliant while in the process of upgrading.
The vulnerabilities we are trying to covers are: CVE-2011-4567 and CVE-2011-4547
NOTE! this has only been tested on one zencart installation and is in no way extensively tested! So I'm posting this here in hopes other devs might want to try it out and test it?. We have yet to pass the PCI scan and are waiting to see if they take our request for an exception using this patch, but I figure I would share this for those of you in the same boat that would like to try and test this.
To apply the patch create a new file at : <zencart root>/includes/extra_configures/pci_patch_custom.php
The code is as follows:
I would love to hear your suggestions, angry letters, whatever.PHP Code:// BOF - Resolves CVE-2011-4567
// see: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4567
if ( pci_key_is_set('message', $_POST) ) {
$_POST['message'] = pci_sanitizeXSSInput($_POST['message']);
}
// EOF - Resolves CVE-2011-4567
// BOF - Resolves CVE-2011-4547
// see: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4547
if ( pci_key_is_set('main_page', $_GET) || pci_key_is_set('main_page', $GLOBALS)) {
$_GET['main_page'] = pci_sanitizeXSSInput($_GET['main_page']);
$GLOBALS['main_page'] = pci_sanitizeXSSInput($GLOBALS['main_page']);
}
if ( pci_key_is_set('PHP_SELF', $_GET)) {
$_GET['PHP_SELF'] = pci_sanitizeXSSInput($_GET['PHP_SELF']);
}
// EOF - Resolves CVE-2011-4547
function pci_key_is_set($key, &$array) {
return array_key_exists($key, &$array) && $array[$key] != null && strlen($array[$key]) > 0;
}
function pci_sanitizeXSSInput($input) {
if ( !pci_utf8_validate($input) ) {
return '';
}
// remove NULL characters
$input = str_replace(chr(0), '', $input);
// make sure no html entities remain valid
$input = str_replace('&', '&', $input);
// remove all tags
$input = strip_tags($input);
return $input;
}
// borrowed from DRUPAL drupal_validate_utf8
// https://api.drupal.org/api/drupal/includes%21bootstrap.inc/function/drupal_validate_utf8/7
function pci_utf8_validate($input) {
if ( strlen($input) == 0 ) {
return true;
}
// With the PCRE_UTF8 modifier 'u', preg_match() fails silently on strings
// containing invalid UTF-8 byte sequences. It does not reject character
// codes above U+10FFFF (represented by 4 or more octets), though.
return (preg_match('/^./us', $input) == 1);
}
Thread: testing a PCI patch for 139h
Results 1 to 3 of 3
Threaded View
-
3 Sep 2013, 07:55 PM #1
New Zenner
- Join Date
- Dec 2008
- Posts
- 11
- Plugin Contributions
- 0
testing a PCI patch for 139h
Reply With QuoteSimilar Threads
-
v151 upgrading from 139h tp 1.5.1 error #1062 - Duplicate entry '1' for key 'PRIMARY'
By Derek Bryant in forum Upgrading to 1.5.xReplies: 3Last Post: 7 Nov 2012, 05:36 AM -
XSS protection patch - and - PCI Scans - patch
By janissaire in forum Templates, Stylesheets, Page LayoutReplies: 3Last Post: 28 Jan 2010, 09:32 PM -
PCI Scans - patch to handle low-priority warnings on search screen causing scan fail
By DrByte in forum Zen Cart Release AnnouncementsReplies: 1Last Post: 19 Nov 2009, 10:36 PM -
How to get of New PATCH Available: v1.3.8a - patch: [1] :: Important Security Patch
By hcd888 in forum General QuestionsReplies: 15Last Post: 2 Oct 2009, 11:45 AM -
can't change Testing:successful to testing declined in Linkpoint Pymnt Module
By WhiteWolf in forum Built-in Shipping and Payment ModulesReplies: 8Last Post: 3 Jul 2009, 04:27 PM
