As a result of a security vulnerability reported today, we are releasing the following patch instructions for anyone using Zen Cart v1.3.0, v1.3.0.1, v1.3.0.2:
It is strongly advised that you apply these fixes immediately!
Make the following code edits to secure your site:
---------------------------
1. includes/application_top.php
line 83:
Code:
include($base_dir . $loader_file);
ADD this new EXTRA line immediately above it
(Do not REPLACE it .... just INSERT A NEW LINE with this on it):
Code:
$autoLoadConfig = array();
When you're done, it should look like this:
Code:
/**
* load the default application_top autoloader file.
*/
$autoLoadConfig = array();
include($base_dir . $loader_file);
if ($loader_dir = dir(DIR_WS_INCLUDES . 'auto_loaders')) {
---------------------------
2. includes/classes/shopping_cart.php
line 354:
Code:
set customers_basket_quantity = '" . $quantity . "'
should be replaced with:
Code:
set customers_basket_quantity = '" . (float)$quantity . "'
---------------------------
3. includes/modules/order_total/ot_coupon.php
lines 104-108:
Code:
$coupon_result=$db->Execute("select coupon_id, coupon_amount, coupon_type, coupon_minimum_order,
uses_per_coupon, uses_per_user, restrict_to_products,
restrict_to_categories from " . TABLE_COUPONS . "
where coupon_code='". $_POST['dc_redeem_code']."'
and coupon_active='Y'");
should be replaced with:
Code:
$sql = "select coupon_id, coupon_amount, coupon_type, coupon_minimum_order, uses_per_coupon, uses_per_user,
restrict_to_products, restrict_to_categories
from " . TABLE_COUPONS . "
where coupon_code= :couponCodeEntered
and coupon_active='Y'";
$sql = $db->bindVars($sql, ':couponCodeEntered', $_POST['dc_redeem_code'], 'string');
$coupon_result=$db->Execute($sql);
---------------------------
4. includes/modules/payment/paypal/paypal_functions.php
line 35:
Code:
$sql = "select * from " . TABLE_PAYPAL_SESSION . " where session_id = '" . $session_stuff[1] . "'";
should be replaced with these lines:
Code:
$sql = "SELECT *
FROM " . TABLE_PAYPAL_SESSION . "
WHERE session_id = :sessionID";
$sql = $db->bindVars($sql, ':sessionID', $session_stuff[1], 'string');
---------------------------
5. includes/functions/whos_online.php (only applies to v1.3.0.2 ... if you don't have this line, then you don't have a full v1.3.0.2 install)
line 101:
Code:
set session_id = '" . $new_session . "' WHERE session_id = '" . $old_session . "'";
should be replaced with these lines:
Code:
SET session_id = :newSessionID
WHERE session_id = :oldSessionID";
$sql = $db->bindVars($sql, ':newSessionID', $new_session, 'string');
$sql = $db->bindVars($sql, ':oldSessionID', $old_session, 'string');
---------------------------
A new bugfix release will be published shortly and will contain these fixes.
It is strongly advised that you apply these fixes immediately!
NOTE: When editing, be careful not to leave blank lines at the end of your files.
It is strongly recommended to use a code editor for making changes to these files ... suitable free editors include Notepad++ and Crimson Editor .
A good free FTP program to use is FileZilla
ABOUT SECURITY
In the .zip file you downloaded for installing Zen Cart, and/or in the /docs folder of your site, there is a document called "Important Site Security Recommendations" which you should be addressing. An online version of the same document is available here:
http://www.zen-cart.com/wiki/index.p...ecommendations
.
Bookmarks