05-12-2016 Patch for Admin Privilege Escalation issue v150-v155




This is a service provided by PRO-Webs Inc. for Zen Cart


Zen Cart Admin Privilege Escalation Patch

This patch is for Zen Cart versions 1.5.0 to 1.5.5.

The following patch will be installed for your Zen Cart versions 1.5.0 through 1.5.5, excluding 1.5.5a in which the patch is already present.

It has come to the attention of the Zen Cart team that there existed a potential admin privilege escalation issue, whereby logged-in admin users of Zen Cart versions 1.5.0 to v1.5.5 (pre v1.5.5a) could change their own user profile permissions if they engaged in some hackery.

This only poses a risk when multiple admin users exist in the store AND some have been assigned a profile restricting their privileges to disallow access to certain admin sections -  AND they have some malicious desire to gain access to changing their settings or to view data against from which they've been restricted.

The fix is simple: copy the Zen Cart v1.5.5a version of /admin/admin_account.php to replace your existing /(your-renamed-admin)/admin_account.php file. This file must be merged if you have edited it for any reason.

There are no database changes, some core file edits. In order to complete this installation we will need FTP credientials. Do not put these credentials in checkout or email, we will send you a secure form to collect the necessary information.




PRO-Webs, Inc.
63 Merganser Way
Woodbine, GA
USA 31569

(330) 871-4357
Email Us

PRO-Webs, Inc. 2021
Notice: Unauthorized attempts to access, upload information, or deface this web site is strictly prohibited and are subject to prosecution under the Computer Fraud and Abuse Act of 1986 and Title 18 U.S.C. Sec. 1001 and 1030.