Results 1 to 2 of 2
  1. #1
    Join Date
    Jan 2004
    Posts
    65,195
    Blog Entries
    7
    Plugin Contributions
    76

    Default PCI Scans - patch to handle low-priority warnings on search screen causing scan fail

    There are some reports of sites failing PCI scans due to an error message that can appear on the search screen if someone attempts to do a SQL injection attack. While the attack fails, an error message appears which, to the purists, discloses the name of the database table and thus gets flagged as a problem. While it's a minor issue and poses no actual direct vulnerability, the PCI scan will fail.

    To fix this in Zen Cart v1.3.0 through v1.3.8a, simply do the following:

    Create a NEW file, call it: /includes/extra_configures/pci_patch_v13x_search.php
    And insert only the following code into that file before saving and uploading to your server:
    Code:
    <?php
    if (isset($_GET['keyword']) && $_GET['keyword'] != '')
    {
      $count =  substr_count($_GET['keyword'], '"');
      if ($count == 1)
      {
        if(substr(stripslashes(trim($_GET['keyword'])), 0, 1) == '"')
        {
          $_GET['keyword'] .= '"';
        }
      }
      $_GET['keyword'] = stripslashes($_GET['keyword']);
    }
    
    if (isset($_GET['sort']) && strlen($_GET['sort']) > 3) {
      $_GET['sort'] = substr($_GET['sort'], 0, 3);
    }
    Zen Cart versions 1.2.x and older are reminded that they need to upgrade. This patch will not work for them.




    And for those of you who wonder, the closing ?> tag is INTENTIONALLY left off of the above code snippet. See here for why: http://tutorials.zen-cart.com/index.php?article=313
    Last edited by DrByte; 19 Nov 2009 at 10:35 PM. Reason: added the filter for $_GET['sort']

  2. #2
    Join Date
    Jan 2004
    Posts
    65,195
    Blog Entries
    7
    Plugin Contributions
    76

    Default Re: PCI Scans - patch to handle low-priority warnings on search screen causing scan f

    Another PCI flag could be raised if long strings are used for sort parameters.
    Again, while the so-called "attack" attempt will fail, an error message will appear, causing a PCI scan to raise a red flag.

    Fixing this matter involves simply using the revised code posted above, as edited today.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

 

 

Similar Threads

  1. PCI Scan fail due to mailman form
    By Natty in forum General Questions
    Replies: 5
    Last Post: 4 Sep 2010, 03:21 PM
  2. XSS protection patch - and - PCI Scans - patch
    By janissaire in forum Templates, Stylesheets, Page Layout
    Replies: 3
    Last Post: 28 Jan 2010, 09:32 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR