Results 1 to 2 of 2
  1. #1
    Join Date
    Sep 2005
    Posts
    5
    Plugin Contributions
    0

    Default Security Alert: SQL Injection Protection 2008-09-19 Confusion

    I'm confused about Security Alert: SQL Injection Protection 2008-09-19.

    The announcement here --

    http://www.zen-cart.com/forum/showthread.php?t=108428

    -- has an update Sept 23 saying "The attached patch file is an update to, and should replace, the one originally issued on Sept 19."

    But, the "update" (security_patch_v138_20080919.php) is identical to the one I already installed on Sept 22.

    Could someone please clarify whether this is the latest version? It's confusing that the file name and contents still have the date Sept 19. I'm pasting the file below.

    Thanks and best wishes,

    Tom
    Code:
    <?php
    /** 
     * Security Patch v1.3.8 20080919
     * 
     * @package initSystem
     * @copyright Copyright 2003-2008 Zen Cart Development Team
     * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
     * @version $Id: security_patch_v138_20080919.php 9900 2008-09-22 21:39:12Z wilt $
     */
    /**
     * Security Patch
     * 
     * Multiple Vulnerabilities
     * 
     * SQL Injection - $_POST['products_id'] 
     * SQL Injection - $_POST['id']
     * 
     * Please Note : This file should be placed in includes/extra_configures and will automatically load.
     *  
     */
    if (isset($_POST['id']) && is_array($_POST['id']) && count($_POST['id']) > 0)
    {
      $_POST['id'] = securityPatchSanitizePostVariableId($_POST['id']);
    }
    if (isset($_POST['products_id']) && is_array($_POST['products_id']) && count($_POST['products_id']) > 0)
    {
      $_POST['products_id'] = securityPatchSanitizePostVariableProductsId($_POST['products_id']);
    }
    function securityPatchSanitizePostVariableId ($arrayToSanitize)
    {
      foreach ($arrayToSanitize as $key => $variableToSanitize)
      {
        {
          if (is_integer($key))
          {
            if (is_array($arrayToSanitize[$key]))
            {
              $arrayToSanitize[$key] = securityPatchSanitizePostVariableId($arrayToSanitize[$key]);
            }
            else 
            {
              $arrayToSanitize[$key] = (int) $variableToSanitize;
            }
          }
        }
        if (ereg_replace('[0-9a-zA-z:_]', '', $key) != '')
          unset($arrayToSanitize[$key]);
      }
      return $arrayToSanitize;
    }
    function securityPatchSanitizePostVariableProductsId ($arrayToSanitize)
    {
      foreach ($arrayToSanitize as $key => $variableToSanitize)
      {
        {
          $arrayToSanitize[$key] = ereg_replace('[^0-9a-fA-F:.]', '', $variableToSanitize);
        }
        if (ereg_replace('[0-9a-zA-z_]', '', $key) != '')
          unset($arrayToSanitize[$key]);
      }
      return $arrayToSanitize;
    }

  2. #2
    Join Date
    Mar 2004
    Posts
    16,042
    Plugin Contributions
    5

    Default Re: Security Alert: SQL Injection Protection 2008-09-19 Confusion

    the patch is not exactly the same,
    the first patch sanitized way to much
    Zen cart PCI compliant Hosting

 

 

Similar Threads

  1. Security Alert: SQL Injection Risk - is it on the 1.3.8a
    By imfsub12 in forum General Questions
    Replies: 1
    Last Post: 27 May 2009, 10:53 PM
  2. Security Alert: SQL Injection Protection 2008-09-19
    By DrByte in forum Zen Cart Release Announcements
    Replies: 2
    Last Post: 30 Sep 2008, 06:21 AM
  3. Security Alert: SQL Injection Risk Aug 31
    By DrByte in forum Zen Cart Release Announcements
    Replies: 1
    Last Post: 20 Sep 2008, 04:53 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR