PDA

View Full Version : Zen-Cart Security Fix



rispku
12-09-2005, 04:12 AM
In case any of you Zen-Cart users missed it, they recently released a fix for a SQL injection exploit.

Official Announcement (http://www.zen-cart.com/modules/ipb/index.php?showtopic=36760)

**IMPORTANT**
Zen Cart versions 1.1.x and 1.2.x require a fix to protect against possible SQL injection exploitation.


The fix is a simple drop-in replacement of the "password_forgotten.php" file.

rispku
02-18-2006, 12:44 PM
A new security upgrade is available. This is a new version, but includes no new features. It's primary focus is to harden the cart against possible SQL injection atttacks and other various exploits.

Official Announcement (http://www.zen-cart.com/modules/ipb/index.php?showtopic=41626)


Whats New ... in v1.2.7

v1.2.7 is a security bugfix release. The changes included in this release are largely intended to provide more solid protection against a potential SQL injection attack or other attempted exploits.

No new features have been added in 1.2.7.

Five Bugfixes included:
- sanitization of input data across many files, to block hacking attempts
- added new /admin/includes/.htaccess file to prevent mis-use of files in subfolders
- rounding errors in tax calculations have been repaired
- music product-type had syntax error on call to extra_main_template_vars
- changed processing of SSL links in zen_redirect function to use $request_type as indicator

For a list of changed files, see docs/changelog-v1-2-7.html


Stay tuned for the upcoming v1.3.0 due shortly!


IMPORTANT NOTES

* Please be sure to review and apply the Site Security Recommendations to your site prior to taking your shop "live". If uncertain about how site security applies to you, talk to your web host to ensure that you have proper measures in place.

* If you are upgrading, it is recommended that you add the enclosed new /admin/includes/.htaccess file to your site.


The upgrade was fairly painless. Forgoing the official upgrade directions posted by one of the developers, I simply ran the SQL update through phpMyAdmin, and then uploaded/replaced the changed files. Seems to be working fine, but be sure to make backups of your store and your database before upgrading.