While it's never pleasant to report about security problems, today we are announcing a few patches which should be applied to your Zen Cart store.
1. Problem with /ajax.php in v1.5.4 only - Severity: High
In Zen Cart v1.5.4 the /ajax.php file has a vulnerability which can be used to cause a server exploit under very specific conditions.
The patch is simple: replace the /ajax.php file with the one attached below.
Thanks to High Tech Bridge for reporting the problem.
QUICK PATCH TO APPLY: /ajax.php
Below are some additional lower-severity patches affecting prior versions, which should be reviewed carefully for your site, to merge with existing customizations you may have made:
2. XSS problem for unsanitized comment field - Severity: Medium
In Zen Cart versions up to and including v1.5.4 an XSS problem exists with the order-comments field.
XSS problems are where someone can drop in executable/javascript code that can cause problems later when that content is output back to the screen.
The fix for this is a simple one-line patch to /includes/modules/pages/checkout_confirmation/header_php.php, as shown in this code diff: XSS fix
Thanks to Trustwave Security for alerting us to this issue.
The attached checkout_confirmation header_php.php is for v1.3.9-thru-v1.5.4 only. Older versions should be patched manually using the code diff in the link above.
Patched file: /includes/modules/pages/checkout_confirmation/header_php.php
3. Failed customer login puts password back in input box - Severity: Low
When attempting a login with an invalid password, the resulting response contains that invalid password.
The fix for this is a simple edit to the /includes/functions/html_output.php file, as shown in this code diff: XSS fix
For v1.5.4 one can apply the attached html_output.php file to /includes/functions/html_output.php ... or if you've customized that file via plugins, use the above code-diff link to find the one line to change.
Thanks to Trustwave Security for alerting us to this issue.
Patched file: /includes/functions/html_output.php
4. XSS concerns on the Admin side - Severity: Low because of working CSRF protections.
Trustwave Security has reported that some fields on admin edit screens are at risk of XSS exploitation. A patch is being prepared, but it is important to note that none of these concerns can be exploited without having a valid Admin login already. So, the problems could only be caused by persons already having permission to access the admin area and intentionally placing malicious code into the affected fields. The Zen Cart Admin area is already protected against CSRF vulnerabilities so these XSS issues cannot be exploited by third parties.
A further announcement will be posted when the patch is ready.
Results 1 to 2 of 2
Threaded View
-
26 Nov 2015, 08:50 PM #1
Sensei
- Join Date
- Jan 2004
- Posts
- 66,373
- Blog Entries
- 7
- Plugin Contributions
- 274
Security Patches for v1.5.4 - November 2015
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
Similar Threads
-
Ajax security fix November 2015
By brittainmark in forum Bug ReportsReplies: 9Last Post: 13 May 2016, 04:50 AM -
November 2015 Security Patch html_output.php css styling conflict?
By marcopolo in forum General QuestionsReplies: 6Last Post: 5 Dec 2015, 09:29 PM -
Security Patches for v1.3.0x
By DrByte in forum Zen Cart Release AnnouncementsReplies: 1Last Post: 18 Aug 2006, 02:29 PM
Bookmarks