We were recently notified of a security vulnerability affecting customer address data in Zen Cart v1.5.7-series and v1.5.8-series.
(Versions 1.5.6 and older are not affected.)
The fix is pretty simple:
(a) update 1 file via FTP, specific to your Zen Cart version.
(b) apply 1 SQL Patch via your Admin
(c) upload a "checker" tool via FTP and run it from your Admin, and if it says you need to, then also change your admin passwords and rename your Admin folder. Delete the checker tool when done.
Here are the detailed instructions:
1. Download the zip file for your specific Zen Cart version and unzip it. The zip files are attached below.
In that zip you will find 3 files:
- /includes/functions/database.php
- /admin/spam_cleanup_check.php
- spam_cleanup.sql
2. Using FTP, upload the updated version of /includes/functions/database.php to your server, replacing the existing file of the same name in that directory.
3. Login to your Admin, go to Tools->Install SQL Patch and apply the spam_cleanup.sql file found in the zip you downloaded.
If you're not familiar with that screen, you can apply the patch in one of two ways:
You can either
a) open the spam_cleanup.sql file in a text editor and copy/paste its contents into the SQL Patch screen and click the blue "Send" button to run the patch;
or
b) in the SQL Patch screen click the "File Upload" button and select the spam_cleanup.sql file from your computer, in whatever directory you had unzipped it to. Then click the blue "Upload" button to run the patch.
It will say "80 statement(s) processed"
4. The following additional steps are highly recommended, and only takes a few more minutes:
a) use your FTP program to upload the spam_cleanup_check.php file to your store's "admin" directory (whatever you had named that directory)
b) then login to your store's Admin home page and run https://your_store.com/YOURADMIN/spam_cleanup_check.php
To be clear: you have to manually type that URL. eg: on your Admin home page, change the URL by typing "/spam_cleanup_check.php" onto it, so the URL is https://your_store.com/YOURADMIN/spam_cleanup_check.php ... and press Enter to open the report page.
c) the report will look in the affected DB fields and will show you a plain HTML summary and a message indicating whether you should do step (d) below or not
d) if the report from step (c) indicates the need, then rename your Admin directory and change your Admin password (all admin users should change their passwords)
e) be sure to delete the spam_cleanup_check.php file from step (c) above, using your FTP program
Special thanks to balihr, barco57, swguy, lat9, qdixon, dbltoe and others for their assistance with this patch.
ZIPS ARE ATTACHED TO THIS POST, BELOW:
1.5.8 (all versions: 1.5.8/1.5.8a): use the zc158_2024-04_address_security.zip file attached below
1.5.7 (all versions: 1.5.7/1.5.7a/1.5.7b/1.5.7c/1.5.7d): use the zc157_2024-04_address_security.zip file attached below
1.5.6 and below: No action required.
Bookmarks