According to the Payment Card Industry's guidelines, the CVV number should NEVER be stored with the credit card number. I'm seeing a specific issue with the manner in which this information is being stored by Zen Cart that could be problematic for all users. Since there is not a general "Security" category in this forum, I'm posting it here as a bug.
(Refer to the Data Security Standard at https://www.pcisecuritystandards.org...he_pci_dss.htm -- especially section 3.2.2)
In the file includes/classes/navigation_history.php, the $_POST variables are written directly to the session. This presents two main problems:
1) Since the credit card information is posted, it gets stored either on disk or in the database. If the disk/database are being backed up, there is a huge risk of credit card information persisting without the store owners being aware of it. Many shared hosts do automated DB and file backups for users on a nightly or weekly basis. Therefore, even if your session table does not allow card information to persist for more than a few days, this data could easily be found on backup media.
2) The credit card and CVV should never be stored together. When they are both posted, they both get written to the disk/database together. The CVV should not live beyond the HTTP post.
Specifically, the problem lines are 86 and 121.
Bookmarks