We have been notified of some potential security vulnerabilities in Zen Cart V1.5.4. These are likely to exist in previous versions as well.
The vulnerabilities were reported by Tim Coen of curesec.com, and we thank Tim and curesec for the report and their patience while we analyzed the reports and prepared fixes where appropriate.
The report identified 3 possible vulnerabilities:
1: Information Leak
The popup page for additional images e.g. index.php?main_page=popup_image_additional accepts a GET parameter for products_image_large_additional.
Using a crafted URL an attacker can determine (via the html returned) whether a specific file exists on the server.
e.g. (In this example note specifically that the responses are different, which "discloses information" that one of those files might exist whereas the other does not.)
http://localhost/zen-cart-v1.5.4-123.../../etc/passwd
results in
<a href="javascript:window.close()"><img
src="../../../../../../../etc/passwd"
http://localhost/zen-cart-v1.5.4-123...../etc/passwd2
results in default image-placeholder being shown
Note: There is no suggestion within the vulnerability report that any contents of the file can be accessed, only whether it exists or not. As such the vulnerability has been classified as low/non-critical.
Fixes will be applied to unreleased V1.6.0 and V1.5.5 versions on github. The v1.5.5 patch is viewable at: https://github.com/zcwilt/zc-v1-seri...ff2932f40ac8ac (for v1.5.5)
Further, for v1.5.4 (and prior) a patch file can be added to includes/extra_configures/ directory to mitigate the vulnerability:
e.g. create a file called includes/extra_configures/security_patch_v154_and_older.php with the following contents:
PHP Code:
<?php
/**
* Security Patch for v1.5.4 (and older) to mitigate an Information Leak.
*
* @package initSystem
* @copyright Copyright 2003-2015 Zen Cart Development Team
* @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
*/
/**
*
* Please Note : This file should be placed in includes/extra_configures and will automatically load.
*
*/
if (isset($_GET['main_page']) && $_GET['main_page'] == 'popup_image_additional') {
if (isset($_REQUEST['products_image_large_additional'])) {
$basepath = "";
$realBase = realpath($basepath);
$userpath = $basepath . $_REQUEST['products_image_large_additional'];
$realUserPath = realpath($userpath);
if ($realUserPath === false || strpos($realUserPath, $realBase) !== 0) {
$_REQUEST['products_image_large_additional'] = '';
}
}
}
(Tip: when pasting code into a new file, be sure that you do NOT have a blank line in the file before the opening line which starts with "<?php", else you'll create problems such as "headers already sent" errors.)
2: Arbitrary File Upload (Admin only)
Many areas of the Admin interface allow for uploading files; generally image files but other media files (mp3 etc) might also be uploaded. The admin upload class does not universally carry out strict testing of the type of uploaded file, hence a .php or other 'dangerous' file might be uploaded by a logged-in administrator.
It should also be noted that this requires the malicious person to have a valid Admin login. Further, Zen Cart already requires that pages that allow uploading are protected by an XSRF token.
Currently we do not plan to address this in legacy versions. However, tighter evaluation has been added for uploads in v1.5.5 and v1.6.0
3: Code Execution (Admin-only)
In the interest of creating maximum flexibility for storeowners, Zen Cart allows a valid logged-in Admin user to edit and include php files into other pages via the define page editor (define_pages_editor.php?define_it=4&action=new_page)
The define pages system is meant to allow for custom text/html and images to be included in certain storefront pages.
Also note as per the vulnerability report.
Please note that if the user followed the guide "Important Site Security Recommendations", they will have set these files to read-only, disallowing code execution.
As with the upload vulnerability above, the malicious person must have a valid admin login.
Further we do not intend to address this in legacy Zen Cart versions.
As a matter of course Zen Cart users should ensure the security of their Admin logins, especially the Super User login. Where there is a need to provide others with an Admin Login, those users should (where possible) be restricted to just those areas of admin that are necessary.
Zen Cart also provides detailed logs of Admin access and actions. These should be reviewed regularly and where necessary as part of your daily Admin workflow.
The full disclosure by Tim Coen can be found on the curesec website
Bookmarks