New PCI Issue in Zen Cart

By Melanie Prough on Thursday, March 11, 2010
Filed Under: Zen Cart Tips












Level 3 Plain-Text Form Based Authentication

This PCI issue is related to users being allowed to submit/transmit login and/or credit card data over an unencrypted connection. This is not a server issue with relationship to your Zen Cart, but rather a Zen Cart software issue.

Zen Cart loads your checkout urls in SSL if you have your cart set correctly to use SSL, however, the SSL pages are loaded by changing the references within the installation to https:// … rather than being forced.

So for example if someone sends you a link to http://domain.com/index.php?main_page=login this page will be in http and unsecured when you login, thus a violation of PCI.

Additionally, if you load https://domain.com/index.php?main_page=login, then remove the “S”, the page will also load unsecured.

When this is allowed, the data submitted is transmitted over and unsecured connection, thus the violation and its high level 3 rating.

I have sent this information to the Zen Cart developers, but in the meantime I can offer you a working fix. We can use a simple php command to force these SSL pages to only load in SSL, so that http: requests are redirected to https:

Note that the files listed below are for a standard Zen Cart checkout and you will have to modify additional files if you use FEC or similar.

In includes/modules/pages/ modify the header_php.php in the following folders.

/account/
/account_edit/
/account_history/
/account_password/
/checkout_payment/
/checkout_payment_address/
/checkout_process/
/checkout_shipping/
/checkout_shipping_address/
/create_account/
/customers_authorization/
/login/

While there may be others you wish to include, these need to be. In each of these folder’s header_php.php you will find the following (or similar) at the top.

// This should be first line of the script:
$zco_notifier->notify……………………….

On the very next line you will add the following.

//Edit require SSL
if($_SERVER['SERVER_PORT'] != '443') { header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']); exit(); }

If you have already failed your PCI, this should resolve the issue on rescan. If you got dinged for hosting control panel logins using Plain-Text Form Based Authentication, this is a separate matter which your hosting company will likely have to resolve for you.

Just a quick note for those of you using an on page login box such as the sidebox login. These transmissions have to be secured as well. Since providing your whole site in https: is not really an option, you will need to remove these logins.

Note also that this plain text login issue applies to your Zen Cart admin as well… even if they don’t find it when scanning. Make sure the following is correctly set to ensure an encrypted login.

define('ENABLE_SSL_ADMIN', 'true');

Tags: , , , , , , , , , ,

Comments are closed.

Template Original