There are some reports of sites failing PCI scans due to an error message that can appear on the search screen if someone attempts to do a SQL injection attack. While the attack fails, an error message appears which, to the purists, discloses the name of the database table and thus gets flagged as a problem. While it's a minor issue and poses no actual direct vulnerability, the PCI scan will fail.
To fix this in Zen Cart v1.3.0 through v1.3.8a, simply do the following:
Create a NEW file, call it: /includes/extra_configures/pci_patch_v13x_search.php
And insert only the following code into that file before saving and uploading to your server:
Code:
<?php
if (isset($_GET['keyword']) && $_GET['keyword'] != '')
{
$count = substr_count($_GET['keyword'], '"');
if ($count == 1)
{
if(substr(stripslashes(trim($_GET['keyword'])), 0, 1) == '"')
{
$_GET['keyword'] .= '"';
}
}
$_GET['keyword'] = stripslashes($_GET['keyword']);
}
if (isset($_GET['sort']) && strlen($_GET['sort']) > 3) {
$_GET['sort'] = substr($_GET['sort'], 0, 3);
}
Zen Cart versions 1.2.x and older are reminded that they need to upgrade. This patch will not work for them.
And for those of you who wonder, the closing ?> tag is INTENTIONALLY left off of the above code snippet. See here for why: https://www.zen-cart.com/tutorials/i...hp?article=313
Bookmarks