Thread: XSS Flaw Patch

Results 1 to 1 of 1
  1. #1
    Join Date
    Jun 2003
    Newcastle UK
    Blog Entries
    Plugin Contributions

    red flag XSS Flaw Patch


    We have been informed of a minor XSS flaw that exists within code for v1.5.0 & v1.51.

    Mitigation for the flaw has been posted to our public Github Repository here.

    You may need to right click this to download correctly. You should also only use the downloaded file if you are sure you have not changed the original file.

    The mitigation is as follows:

    1. Edit {ADMIN FOLDER NAME}/includes/functions/general.php

    2. change line circa 126 within the zen_get_all_get_params function

    PHP Code:
          if (($key != zen_session_name()) && ($key != 'error') && (!in_array($key$exclude_array))) $get_url .= $key '=' $value '&'

    PHP Code:
          if (($key != zen_session_name()) && ($key != 'error') && (!in_array($key$exclude_array))) 
    $get_url .= zen_sanitize_string($key) . '=' rawurlencode(stripslashes($value)) . '&'
    Our thanks to

    Stefan Schurtz via Secunia SVCRP.
    for notifying us about the flaw.
    Last edited by DrByte; 16 Apr 2014 at 11:45 PM. Reason: fixed github link



Similar Threads

  1. XSS protection patch - and - PCI Scans - patch
    By janissaire in forum Templates, Stylesheets, Page Layout
    Replies: 3
    Last Post: 28 Jan 2010, 09:32 PM
  2. XSS protection patch - Nov 30 2009
    By DrByte in forum Zen Cart Release Announcements
    Replies: 0
    Last Post: 30 Nov 2009, 11:14 PM
  3. Question about XSS patch upgrade
    By kinget in forum Upgrading from 1.3.x to 1.3.9
    Replies: 4
    Last Post: 2 Aug 2007, 12:44 AM


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
Zen-Cart, Internet Selling Services, Klamath Falls, OR