Results 1 to 2 of 2
  1. #1
    Join Date
    Jun 2003
    Location
    Newcastle UK
    Posts
    2,896
    Blog Entries
    2
    Plugin Contributions
    2

    Default July 2008 Security Announcement

    Recently a vulnerability in Zen Cart v1.3.x was announced on a few Security Forums (10-JUL-2008). This purported to be a Local File Inclusion vulnerability in 2 scripts in the Zen Cart Admin.

    We have of course looked at the advertised vulnerability and the files that are allegedly vulnerable.

    The two files are

    admin/includes/initsystem.php
    admin/includes/languages/english.php (and, if you have any other language-name.php files in "/admin/includes/languages/", you should fix those too)

    It is our considered opinion that it would be impossible to use the advertised vulnerability for the purpose of Local (or even remote) file inclusion.

    At worst, the use of this vulnerability will reveal some local file paths on the targeted system.

    It should also be noted that the vulnerability relies on the attacker knowing the location of the Zen Cart admin files. As we stress in all of our Security/Installation documentation, people installing Zen Cart should always change the name of the admin folder from the default that is used for installation.

    Please see: https://www.zen-cart.com/tutorials/index.php?article=73

    In order to protect these files from even the minor effect of revealing system file paths you can do the following.

    At the beginning of the file (after the opening <?php ) add the following code:
    Code:
    if (!defined('IS_ADMIN_FLAG')) {
      die('Illegal Access');
    }
    For those who are uncomfortable with editing the files, a patch will be issued shortly.

    If you have any questions regarding this announcement, or wish to raise other issues related to the security of your Zen Cart system, please use the Zen Cart forum.

    Specifically:
    http://www.zen-cart.com/forum/forumdisplay.php?f=134
    http://www.zen-cart.com/forum/forumdisplay.php?f=151

  2. #2
    Join Date
    Jan 2004
    Posts
    66,407
    Blog Entries
    7
    Plugin Contributions
    81

    Default Re: Security Announcement

    1. The fastest "fix" is to edit the files as described in wilt's post above.

    2. If you want example patched files, use the attached zip, as described below:

    For v1.3.8, use BOTH files included in this zip, or make the changes manually as described above. NOTE: If you use the attached files, be sure to *merge* your customizations into the updated files before uploading. If you upload without preserving/rebuilding your customizations to the language file, you will overwrite and lose those customizations.

    For v1.3.7, use just the included "english.php" file, or make the change manually as described above. The note about merging customizations applies equally. The initsystem.php file is not used prior to v1.3.8, so is not needed for v1.3.7 and earlier.

    For versions prior to v1.3.7, make the change described in the post above ... to only the admin english.php file, as indicated.

    For v1.2.x, making the described changes will break your admin area. Your best solution is to upgrade. Keep in mind that v1.2.x is officially no longer supported, and is not compatible with PHP5. If your server gets upgraded to PHP5, your store will break. It's best to plan your upgrade well in advance of such server changes and before busier seasons such as Christmas etc.
    Attached Files Attached Files
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

 

 

Similar Threads

  1. Important announcement about POODLE and payment security
    By DrByte in forum Zen Cart Release Announcements
    Replies: 4
    Last Post: 31 Dec 2014, 08:51 PM
  2. Re: Important announcement about POODLE and payment security
    By shags38 in forum General Questions
    Replies: 1
    Last Post: 20 Oct 2014, 04:46 AM
  3. Security Alert: SQL Injection Protection 2008-09-19
    By DrByte in forum Zen Cart Release Announcements
    Replies: 2
    Last Post: 30 Sep 2008, 06:21 AM
  4. Replies: 1
    Last Post: 29 Sep 2008, 05:55 PM
  5. WA Retail Sales Tax is changing July 1 2008.
    By birdoasis in forum Addon Shipping Modules
    Replies: 3
    Last Post: 7 Aug 2008, 03:32 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR