Results 1 to 2 of 2
  1. #1
    Join Date
    Jun 2003
    Location
    Newcastle UK
    Posts
    2,876
    Blog Entries
    2
    Plugin Contributions
    2

    Default Trustwave Security report [Patch Included] TWSL2016-006

    Attachment 16120Attachment 16121Robert Foggia of Trustwave notified us of possible multiple security vulnerabilities in Zen Cart Admin

    Trustwave announcement: https://www.trustwave.com/Resources/SpiderLabs-Blog/TWSL2016-006

    The majority of these vulnerabilities were XSS and/or reflected XSS vulnerabilities, and are addressed in the details below. The rest were announced earlier, with patching instructions, here: https://www.zen-cart.com/showthread....-November-2015


    Some background here, on the XSS concerns:

    There are a lot of places in Admin where we allow the input of html/script tags.
    e.g. Product descriptions/Product Names/Email Sending as well as some configuration values.

    While allowing these does mean there could be XSS vulnerabilities, this is further mitigated by the use of XSRF tokens in admin ... and the requirement that one must be logged into the admin for this to be an issue at all.

    Over a long period of discussion with Trustwave we did decide to implement a more global process of sanitizing GET/POST parameters in Admin.

    Those changes can be seen in the admin/includes/init_incudes/init_sanitize.php and admin/includes/classes/AdminRequestSanitizer.php files of the new v155 release.
    There is also documentation about the new sanitzation at http://docs.zen-cart.com/Developer_D...n_sanitization


    These files can also be used to patch v1.5.0/v1.5.1/v1.5.2/v1.5.3 and v1.5.4

    i.e for the attached files see the following post below,
    Last edited by wilt; 27 May 2016 at 03:16 PM. Reason: Files updated below

  2. #2
    Join Date
    Jan 2004
    Posts
    64,221
    Blog Entries
    6
    Plugin Contributions
    68

    Default Re: Trustwave Security report [Patch Included] TWSL2016-006

    NOTE: The files attached in the above announcement had some incompatibility issues with a couple popular plugins, so a number of improvements have been made, as indicated here.

    In your Admin if you're unexpectedly getting symbols like & converted into & then you probably need to apply the following updates.

    These changes are applicable to v1.5.0-thru-v1.5.5a (you can right-click and save-as for each of these files):
    a) /admin/includes/classes/AdminRequestSanitizer.php
    b) /admin/includes/init_includes/init_sanitize.php
    c) /admin/includes/auto_loaders/config.adminSanitize.php
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

 

 

Similar Threads

  1. Replies: 1
    Last Post: 30 Mar 2016, 08:21 PM
  2. curesec.com security report [Patch Included]
    By wilt in forum Zen Cart Release Announcements
    Replies: 1
    Last Post: 2 Oct 2015, 07:20 PM
  3. are the 1.3.8 security patches included in 1.3.9?
    By mzimmers in forum Upgrading from 1.3.x to 1.3.9
    Replies: 7
    Last Post: 23 Apr 2010, 02:25 AM
  4. Create account returns blank page. Error report included
    By slappadudle in forum General Questions
    Replies: 8
    Last Post: 10 Dec 2009, 03:40 AM
  5. Replies: 15
    Last Post: 2 Oct 2009, 11:45 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR