Thread: XSS Flaw Patch

Results 1 to 1 of 1
  1. #1
    Join Date
    Jun 2003
    Location
    Newcastle UK
    Posts
    2,876
    Blog Entries
    2
    Plugin Contributions
    2

    red flag XSS Flaw Patch

    Hi

    We have been informed of a minor XSS flaw that exists within code for v1.5.0 & v1.51.

    Mitigation for the flaw has been posted to our public Github Repository here.

    You may need to right click this to download correctly. You should also only use the downloaded file if you are sure you have not changed the original file.

    The mitigation is as follows:

    1. Edit {ADMIN FOLDER NAME}/includes/functions/general.php

    2. change line circa 126 within the zen_get_all_get_params function

    Original
    PHP Code:
          if (($key != zen_session_name()) && ($key != 'error') && (!in_array($key$exclude_array))) $get_url .= $key '=' $value '&'
    to

    PHP Code:
          if (($key != zen_session_name()) && ($key != 'error') && (!in_array($key$exclude_array))) 
            
    $get_url .= zen_sanitize_string($key) . '=' rawurlencode(stripslashes($value)) . '&'
    Our thanks to

    Stefan Schurtz via Secunia SVCRP.
    for notifying us about the flaw.
    Last edited by DrByte; 16 Apr 2014 at 11:45 PM. Reason: fixed github link

 

 

Similar Threads

  1. XSS protection patch - and - PCI Scans - patch
    By janissaire in forum Templates, Stylesheets, Page Layout
    Replies: 3
    Last Post: 28 Jan 2010, 09:32 PM
  2. XSS protection patch - Nov 30 2009
    By DrByte in forum Zen Cart Release Announcements
    Replies: 0
    Last Post: 30 Nov 2009, 11:14 PM
  3. Question about XSS patch upgrade
    By kinget in forum Upgrading from 1.3.x to 1.3.9
    Replies: 4
    Last Post: 2 Aug 2007, 12:44 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR