Attachment 16120Attachment 16121Robert Foggia of Trustwave notified us of possible multiple security vulnerabilities in Zen Cart Admin
Trustwave announcement: https://www.trustwave.com/Resources/SpiderLabs-Blog/TWSL2016-006
The majority of these vulnerabilities were XSS and/or reflected XSS vulnerabilities, and are addressed in the details below. The rest were announced earlier, with patching instructions, here: https://www.zen-cart.com/showthread....-November-2015
Some background here, on the XSS concerns:
There are a lot of places in Admin where we allow the input of html/script tags.
e.g. Product descriptions/Product Names/Email Sending as well as some configuration values.
While allowing these does mean there could be XSS vulnerabilities, this is further mitigated by the use of XSRF tokens in admin ... and the requirement that one must be logged into the admin for this to be an issue at all.
Over a long period of discussion with Trustwave we did decide to implement a more global process of sanitizing GET/POST parameters in Admin.
Those changes can be seen in the admin/includes/init_incudes/init_sanitize.php and admin/includes/classes/AdminRequestSanitizer.php files of the new v155 release.
There is also documentation about the new sanitzation at http://docs.zen-cart.com/Developer_D...n_sanitization
These files can also be used to patch v1.5.0/v1.5.1/v1.5.2/v1.5.3 and v1.5.4
i.e for the attached files see the following post below,
Bookmarks