IMPORTANT ADMIN SECURITY PATCH -- security_patch_v138_20090619.zip

[wilt]

Hi,

A SERIOUS vulnerability has been discovered in the admin section of v1.3.8 (and previous versions). To take advantage of this vulnerability any attacker must know the URL of your admin section. As our security recommendations point out, you should change the folder that your admin resides in as soon as you installed Zen Cart.

However we realise that relying on this 'Security through Obscurity' is not foolproof, hence the release of this patch.

A link to the patch file is posted below. Please download the patch file and unzip it. The zip file contains a readme.html with full details on how to install the security patch files. In the main, the security patch uses Zen Cart's override system to make installation as simple as possible.

If your "Admin" folder is still named /admin/ then YOU NEED TO INSTALL THIS PATCH, *AND* you need to rename your admin folder!



IMPORTANT NOTE:
As with all Zen Cart zip files, there are Directories/Folders embedded in the zip. So, when you expand/unzip, you MUST tell your unzip program to expand the folders too! Otherwise you are likely to end up putting the wrong files in the wrong places.

And ... follow the instructions CAREFULLY ... Remember, the documentation tells you exactly where to put the files. Don't make any assumptions.
This is an ADMIN patch ... so ALL the files go under your admin directory in their respective folders ... again, the documentation is clear, so use it.

ALERT ALERT ALERT!!!! Many people have mis-read the documentation, and mistakenly applied updates to some NON-Admin files. THIS PATCH *ONLY* deals with admin files. So, when editing/updating, make SURE you ONLY handle files under your admin folder. That includes the html_output.php file too!

REMEMBER (In case it's not self-evident) ... WHEN APPLYING *ANY* PATCHES (or addons or customizations for that matter), ALWAYS DO A *FULL* BACKUP of your database data and your PHP/HTML/CSS/TEMPLATE/IMAGES files by downloading them (via FTP) to your computer and zipping and/or burning to a CD/DVD.



Zen Cart v1.3.X
The security patch will work for all versions in the 1.3.x series.
Simply unzip and upload the included files as per the documentation included in the zip.

Zen Cart v1.2.X
Older releases i.e v1.2.x no longer officially receive technical support.
However, you CAN use ONE file from this patch to help secure your v1.2.x site:
Simply unzip this patch file and copy the /admin/includes/functions/extra_functions/security_patch_v138_20090619.php file to your /admin/includes/functions/extra_functions/ folder.
However we strongly advise anyone using the 1.2.x versions to upgrade to 1.3.8 as soon as possible.

Zen Cart v1.1.X
Patching a v1.1.x site will require manual coding changes. If you require such assistance, post to the "Concerns about Hack Attempts" section of the forum and mention your Zen Cart version in the subject.


Thanks to Ghyslain/BlackH for alerting us to one aspect of this vulnerability.