Trustwave Security report [Patch Included] TWSL2016-006
Attachment 16120Attachment 16121Robert Foggia of Trustwave notified us of possible multiple security vulnerabilities in Zen Cart Admin
Trustwave announcement: https://www.trustwave.com/Resources/SpiderLabs-Blog/TWSL2016-006
The majority of these vulnerabilities were XSS and/or reflected XSS vulnerabilities, and are addressed in the details below. The rest were announced earlier, with patching instructions, here: https://www.zen-cart.com/showthread....-November-2015
Some background here, on the XSS concerns:
There are a lot of places in Admin where we allow the input of html/script tags.
e.g. Product descriptions/Product Names/Email Sending as well as some configuration values.
While allowing these does mean there could be XSS vulnerabilities, this is further mitigated by the use of XSRF tokens in admin ... and the requirement that one must be logged into the admin for this to be an issue at all.
Over a long period of discussion with Trustwave we did decide to implement a more global process of sanitizing GET/POST parameters in Admin.
Those changes can be seen in the admin/includes/init_incudes/init_sanitize.php and admin/includes/classes/AdminRequestSanitizer.php files of the new v155 release.
There is also documentation about the new sanitzation at http://docs.zen-cart.com/Developer_D...n_sanitization
These files can also be used to patch v1.5.0/v1.5.1/v1.5.2/v1.5.3 and v1.5.4
i.e for the attached files see the following post below,
Last edited by wilt; 27 May 2016 at 03:16 PM.
Reason: Files updated below
Re: Trustwave Security report [Patch Included] TWSL2016-006
NOTE: The files attached in the above announcement had some incompatibility issues with a couple popular plugins, so a number of improvements have been made, as indicated here.
In your Admin if you're unexpectedly getting symbols like & converted into & then you probably need to apply the following updates.
These changes are applicable to v1.5.0-thru-v1.5.5a (you can right-click and save-as for each of these files):
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
By numinix in forum Bug Reports
Last Post: 30 Mar 2016, 08:21 PM
By wilt in forum Zen Cart Release Announcements
Last Post: 2 Oct 2015, 07:20 PM
By mzimmers in forum Upgrading from 1.3.x to 1.3.9
Last Post: 23 Apr 2010, 02:25 AM
By slappadudle in forum General Questions
Last Post: 10 Dec 2009, 03:40 AM
By hcd888 in forum General Questions
Last Post: 2 Oct 2009, 11:45 AM
Content and Graphics Copyright (c) 2003 - 2016 Zen Ventures, LLC - all rights reserved
Zen Cart® is a Registered Trademark of Zen Ventures, LLC