While it's never pleasant to report about security problems, today we are announcing a few patches which should be applied to your Zen Cart store.

1. Problem with /ajax.php in v1.5.4 only - Severity: High
In Zen Cart v1.5.4 the /ajax.php file has a vulnerability which can be used to cause a server exploit under very specific conditions.
The patch is simple: replace the /ajax.php file with the one attached below.
Thanks to High Tech Bridge for reporting the problem.


Below are some additional lower-severity patches affecting prior versions, which should be reviewed carefully for your site, to merge with existing customizations you may have made:

2. XSS problem for unsanitized comment field - Severity: Medium
In Zen Cart versions up to and including v1.5.4 an XSS problem exists with the order-comments field.
XSS problems are where someone can drop in executable/javascript code that can cause problems later when that content is output back to the screen.
The fix for this is a simple one-line patch to /includes/modules/pages/checkout_confirmation/header_php.php, as shown in this code diff: XSS fix
Thanks to Trustwave Security for alerting us to this issue.
The attached checkout_confirmation header_php.php is for v1.3.9-thru-v1.5.4 only. Older versions should be patched manually using the code diff in the link above.
Patched file: /includes/modules/pages/checkout_confirmation/header_php.php

3. Failed customer login puts password back in input box - Severity: Low
When attempting a login with an invalid password, the resulting response contains that invalid password.
The fix for this is a simple edit to the /includes/functions/html_output.php file, as shown in this code diff: XSS fix
For v1.5.4 one can apply the attached html_output.php file to /includes/functions/html_output.php ... or if you've customized that file via plugins, use the above code-diff link to find the one line to change.
Thanks to Trustwave Security for alerting us to this issue.

Patched file: /includes/functions/html_output.php

4. XSS concerns on the Admin side - Severity: Low because of working CSRF protections.
Trustwave Security has reported that some fields on admin edit screens are at risk of XSS exploitation. A patch is being prepared, but it is important to note that none of these concerns can be exploited without having a valid Admin login already. So, the problems could only be caused by persons already having permission to access the admin area and intentionally placing malicious code into the affected fields. The Zen Cart Admin area is already protected against CSRF vulnerabilities so these XSS issues cannot be exploited by third parties.
A further announcement will be posted when the patch is ready.