Security Patches for v1.3.0x

[DrByte]

As a result of a security vulnerability reported today, we are releasing the following patch instructions for anyone using Zen Cart v1.3.0, v1.3.0.1, v1.3.0.2:

It is strongly advised that you apply these fixes immediately!

Make the following code edits to secure your site:
---------------------------
1. includes/application_top.php
line 83:

Code:

include($base_dir . $loader_file);

ADD this new EXTRA line immediately above it
(Do not REPLACE it .... just INSERT A NEW LINE with this on it):

Code:

$autoLoadConfig = array();

When you're done, it should look like this:

Code:

/**
 * load the default application_top autoloader file.
 */
$autoLoadConfig = array();
include($base_dir . $loader_file);
if ($loader_dir = dir(DIR_WS_INCLUDES . 'auto_loaders')) {

---------------------------


2. includes/classes/shopping_cart.php
line 354:

Code:

                set customers_basket_quantity = '" . $quantity . "'

should be replaced with:

Code:

                set customers_basket_quantity = '" . (float)$quantity . "'

---------------------------

3. includes/modules/order_total/ot_coupon.php
lines 104-108:

Code:

      $coupon_result=$db->Execute("select coupon_id, coupon_amount, coupon_type, coupon_minimum_order,
                                     uses_per_coupon, uses_per_user, restrict_to_products,
                                     restrict_to_categories from " . TABLE_COUPONS . "
                                   where coupon_code='". $_POST['dc_redeem_code']."'
                                   and coupon_active='Y'");

should be replaced with:

Code:

      $sql = "select coupon_id, coupon_amount, coupon_type, coupon_minimum_order, uses_per_coupon, uses_per_user,
              restrict_to_products, restrict_to_categories 
              from " . TABLE_COUPONS . "
              where coupon_code= :couponCodeEntered
              and coupon_active='Y'";
      $sql = $db->bindVars($sql, ':couponCodeEntered', $_POST['dc_redeem_code'], 'string'); 

      $coupon_result=$db->Execute($sql);

---------------------------


4. includes/modules/payment/paypal/paypal_functions.php
line 35:

Code:

    $sql = "select * from " . TABLE_PAYPAL_SESSION . " where session_id = '" . $session_stuff[1] . "'";

should be replaced with these lines:

Code:

    $sql = "SELECT * 
            FROM " . TABLE_PAYPAL_SESSION . " 
            WHERE session_id = :sessionID";
    $sql = $db->bindVars($sql, ':sessionID', $session_stuff[1], 'string');

---------------------------

5. includes/functions/whos_online.php (only applies to v1.3.0.2 ... if you don't have this line, then you don't have a full v1.3.0.2 install)
line 101:

Code:

          set session_id = '" . $new_session . "' WHERE session_id = '" . $old_session . "'";

should be replaced with these lines:

Code:

          SET session_id = :newSessionID 
          WHERE session_id = :oldSessionID";
  $sql = $db->bindVars($sql, ':newSessionID', $new_session, 'string'); 
  $sql = $db->bindVars($sql, ':oldSessionID', $old_session, 'string');

---------------------------

A new bugfix release will be published shortly and will contain these fixes.

It is strongly advised that you apply these fixes immediately!

NOTE: When editing, be careful not to leave blank lines at the end of your files.
It is strongly recommended to use a code editor for making changes to these files ... suitable free editors include Notepad++ and Crimson Editor .
A good free FTP program to use is FileZilla


ABOUT SECURITY
In the .zip file you downloaded for installing Zen Cart, and/or in the /docs folder of your site, there is a document called "Important Site Security Recommendations" which you should be addressing. An online version of the same document is available here:
http://www.zen-cart.com/wiki/index.p...ecommendations



.

[DrByte]

For people concerned about v1.2.x, you can tighten security here:

---------------------------

1. includes/classes/shopping_cart.php
approximately line 256, depending on your version:

Code:

                set customers_basket_quantity = '" . $quantity . "'

should be replaced with:

Code:

                set customers_basket_quantity = '" . (float)$quantity . "'

---------------------------

2. includes/modules/order_total/ot_coupon.php
lines 103-107:

Code:

      $coupon_result=$db->Execute("select coupon_id, coupon_amount, coupon_type, coupon_minimum_order,
                                     uses_per_coupon, uses_per_user, restrict_to_products,
                                     restrict_to_categories from " . TABLE_COUPONS . "
                                   where coupon_code='". $_POST['dc_redeem_code']."'
                                   and coupon_active='Y'");

should be replaced with:

Code:

      $coupon_result=$db->Execute("select coupon_id, coupon_amount, coupon_type, coupon_minimum_order,
                                       uses_per_coupon, uses_per_user, restrict_to_products,
                                       restrict_to_categories from " . TABLE_COUPONS . "
                                       where coupon_code='". zen_db_input($_POST['dc_redeem_code'])."'
                                       and coupon_active='Y'");

---------------------------

ABOUT SECURITY
In the .zip file you downloaded for installing Zen Cart, and/or in the /docs folder of your site, there is a document called "Important Site Security Recommendations" which you should be addressing. An online version of the same document is available here:
http://www.zen-cart.com/wiki/index.p...ecommendations


.