Results 1 to 1 of 1
  1. #1
    Join Date
    Jan 2004
    Blog Entries
    Plugin Contributions

    Default XSS protection patch - Nov 30 2009

    While XSS or CSRF attacks are difficult to trigger and may not manifest very often, it is still important to protect against the ill effects which could be caused by them.

    As such, the following XSS patches are advised in order to protect yourself from a recently-reported vulnerability:

    The following edits should be made to the respective files.
    THESE UPDATES APPLY TO ALL VERSIONS OF ZEN CART UP TO (& including)v1.3.8a (although line numbers may vary)

    NOTE: These updates should be made EVEN if you've renamed your admin folder. (Merely renaming your admin folder will NOT protect you from XSS issues.)

    Add the new lines shown, around approx line 135:
      while (!$customers->EOF) {
    	    $customers->fields['customers_firstname'] = zen_output_string_protected($customers->fields['customers_firstname']);
    	    $customers->fields['customers_lastname'] = zen_output_string_protected($customers->fields['customers_lastname']);
        echo '              <div class="row"><span class="left"><a href="' . zen_href_link(FILENAME_CUSTOMERS ....(code snipped here for brevity)........
    Add the new line shown, around approx line 1173:
          if (isset($cInfo) && is_object($cInfo)) {
            if (isset($_GET['search'])) $_GET['search'] = zen_output_string_protected($_GET['search']);
            $customers_orders = $db->Execute("select o.orders_id, o.date_purchased, o.order_total, o.currency, o.currency_value,
    /admin/sqlpatch.php (ONLY relevant for v1.3.5 to (including) v1.3.8a)
    Add the "(bool)" as shown here on line 808:
    <?php if (isset($_GET['nogrants'])) echo '<input type="hidden" id="nogrants" name="nogrants" value="'.(bool)$_GET['nogrants'].'" />'; ?>

    Thanks to Pedro Joaquín at webvuln for the alert.
    Last edited by Kim; 1 Dec 2009 at 05:46 PM.

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.



Similar Threads

  1. XSS protection patch - and - PCI Scans - patch
    By janissaire in forum Templates, Stylesheets, Page Layout
    Replies: 3
    Last Post: 28 Jan 2010, 09:32 PM
  2. Problems after installing security patch 06 19 2009
    By maria82g in forum General Questions
    Replies: 24
    Last Post: 1 Jul 2009, 04:59 AM
  3. USPS Patch Nov 19 2007 for v1.3.7 and earlier
    By Ajeh in forum Zen Cart Release Announcements
    Replies: 1
    Last Post: 20 Nov 2007, 12:43 AM


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
Zen-Cart, Internet Selling Services, Klamath Falls, OR