Results 1 to 2 of 2
  1. #1
    Join Date
    Jun 2003
    Location
    Newcastle UK
    Posts
    2,876
    Blog Entries
    2
    Plugin Contributions
    2

    Default curesec.com security report [Patch Included]

    We have been notified of some potential security vulnerabilities in Zen Cart V1.5.4. These are likely to exist in previous versions as well.

    The vulnerabilities were reported by Tim Coen of curesec.com, and we thank Tim and curesec for the report and their patience while we analyzed the reports and prepared fixes where appropriate.

    The report identified 3 possible vulnerabilities:

    1: Information Leak

    The popup page for additional images e.g. index.php?main_page=popup_image_additional accepts a GET parameter for products_image_large_additional.
    Using a crafted URL an attacker can determine (via the html returned) whether a specific file exists on the server.

    e.g. (In this example note specifically that the responses are different, which "discloses information" that one of those files might exist whereas the other does not.)


    http://localhost/zen-cart-v1.5.4-123.../../etc/passwd
    results in
    <a href="javascript:window.close()"><img
    src="../../../../../../../etc/passwd"


    http://localhost/zen-cart-v1.5.4-123...../etc/passwd2
    results in default image-placeholder being shown


    Note: There is no suggestion within the vulnerability report that any contents of the file can be accessed, only whether it exists or not. As such the vulnerability has been classified as low/non-critical.

    Fixes will be applied to unreleased V1.6.0 and V1.5.5 versions on github. The v1.5.5 patch is viewable at: https://github.com/zcwilt/zc-v1-seri...ff2932f40ac8ac (for v1.5.5)

    Further, for v1.5.4 (and prior) a patch file can be added to includes/extra_configures/ directory to mitigate the vulnerability:

    e.g. create a file called includes/extra_configures/security_patch_v154_and_older.php with the following contents:

    PHP Code:
    <?php
    /**
     *  Security Patch for v1.5.4 (and older) to mitigate an Information Leak.
     *
     * @package initSystem
     * @copyright Copyright 2003-2015 Zen Cart Development Team
     * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
     */
    /**
     *
     * Please Note : This file should be placed in includes/extra_configures and will automatically load.
     *
     */

    if (isset($_GET['main_page']) && $_GET['main_page'] == 'popup_image_additional') {
        if (isset(
    $_REQUEST['products_image_large_additional'])) {
            
    $basepath "";
            
    $realBase realpath($basepath);
            
    $userpath $basepath $_REQUEST['products_image_large_additional'];
            
    $realUserPath realpath($userpath);
            if (
    $realUserPath === false || strpos($realUserPath$realBase) !== 0) {
                
    $_REQUEST['products_image_large_additional'] = '';
            }
        }
    }
    (Tip: when pasting code into a new file, be sure that you do NOT have a blank line in the file before the opening line which starts with "<?php", else you'll create problems such as "headers already sent" errors.)


    2: Arbitrary File Upload (Admin only)

    Many areas of the Admin interface allow for uploading files; generally image files but other media files (mp3 etc) might also be uploaded. The admin upload class does not universally carry out strict testing of the type of uploaded file, hence a .php or other 'dangerous' file might be uploaded by a logged-in administrator.

    It should also be noted that this requires the malicious person to have a valid Admin login. Further, Zen Cart already requires that pages that allow uploading are protected by an XSRF token.

    Currently we do not plan to address this in legacy versions. However, tighter evaluation has been added for uploads in v1.5.5 and v1.6.0


    3: Code Execution (Admin-only)

    In the interest of creating maximum flexibility for storeowners, Zen Cart allows a valid logged-in Admin user to edit and include php files into other pages via the define page editor (define_pages_editor.php?define_it=4&action=new_page)
    The define pages system is meant to allow for custom text/html and images to be included in certain storefront pages.

    Also note as per the vulnerability report.
    Please note that if the user followed the guide "Important Site Security Recommendations", they will have set these files to read-only, disallowing code execution.
    As with the upload vulnerability above, the malicious person must have a valid admin login.
    Further we do not intend to address this in legacy Zen Cart versions.

    As a matter of course Zen Cart users should ensure the security of their Admin logins, especially the Super User login. Where there is a need to provide others with an Admin Login, those users should (where possible) be restricted to just those areas of admin that are necessary.

    Zen Cart also provides detailed logs of Admin access and actions. These should be reviewed regularly and where necessary as part of your daily Admin workflow.

    The full disclosure by Tim Coen can be found on the curesec website
    Attached Files Attached Files
    Last edited by wilt; 14 Sep 2015 at 10:47 PM.

  2. #2
    Join Date
    Jan 2004
    Posts
    64,245
    Blog Entries
    6
    Plugin Contributions
    68

    Default Re: curesec.com security report [Patch Included]

    Update re: The "arbitrary uploads" issue.

    a. Remember, this is only an issue if your Admin logins are already compromised.

    b. Code to protect against it has been added in v1.6.0 and ported to v1.5.5

    c. For those wanting to patch v1.5.4 and older, the changes shown in each of these links can be applied manually:
    - https://github.com/zencart/zencart/c...a85e91258f?w=0
    - https://github.com/zencart/zencart/c...b71008073ff8ea
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

 

 

Similar Threads

  1. Trustwave Security report [Patch Included] TWSL2016-006
    By wilt in forum Zen Cart Release Announcements
    Replies: 1
    Last Post: 24 May 2016, 10:47 PM
  2. v154 Blank screen after curesec-com file insert ("headers already sent")
    By RixStix in forum General Questions
    Replies: 4
    Last Post: 13 Sep 2015, 09:58 PM
  3. v139h about curesec.com security report
    By DarkAngel in forum General Questions
    Replies: 2
    Last Post: 13 Sep 2015, 05:08 AM
  4. Create account returns blank page. Error report included
    By slappadudle in forum General Questions
    Replies: 8
    Last Post: 10 Dec 2009, 03:40 AM
  5. Replies: 15
    Last Post: 2 Oct 2009, 11:45 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR