Recently a vulnerability in Zen Cart v1.3.x was announced on a few Security Forums (10-JUL-2008). This purported to be a Local File Inclusion vulnerability in 2 scripts in the Zen Cart Admin.

We have of course looked at the advertised vulnerability and the files that are allegedly vulnerable.

The two files are

admin/includes/initsystem.php
admin/includes/languages/english.php (and, if you have any other language-name.php files in "/admin/includes/languages/", you should fix those too)

It is our considered opinion that it would be impossible to use the advertised vulnerability for the purpose of Local (or even remote) file inclusion.

At worst, the use of this vulnerability will reveal some local file paths on the targeted system.

It should also be noted that the vulnerability relies on the attacker knowing the location of the Zen Cart admin files. As we stress in all of our Security/Installation documentation, people installing Zen Cart should always change the name of the admin folder from the default that is used for installation.

Please see: https://www.zen-cart.com/tutorials/index.php?article=73

In order to protect these files from even the minor effect of revealing system file paths you can do the following.

At the beginning of the file (after the opening <?php ) add the following code:
Code:
if (!defined('IS_ADMIN_FLAG')) {
  die('Illegal Access');
}
For those who are uncomfortable with editing the files, a patch will be issued shortly.

If you have any questions regarding this announcement, or wish to raise other issues related to the security of your Zen Cart system, please use the Zen Cart forum.

Specifically:
http://www.zen-cart.com/forum/forumdisplay.php?f=134
http://www.zen-cart.com/forum/forumdisplay.php?f=151