Zen Cart 1.3.8 Bug Fixes

By Melanie Prough on Sunday, June 28, 2009
Filed Under: Zen Cart News












We have compiled a list of the bug & security fixes you should be concerned with fixing on your 1.3.8 Zen Cart and those that are conditional, either by reported error or need. Please note that you should be subscribed to the Zen Cart 1.3.8 Bug Fixes thread & the Zen Cart Releases & Announcements thread for security and release patches & updates.

Required Zen Cart 1.3.8 Bug & Security Fixes

  • Admin Security Patch June 12, 2008 – A security vulnerability in Zen Cart v1.3.x was announced on a few Security Forums (10-JUL-2008). This purported to be a Local File Inclusion vulnerability in 2 scripts in the Zen Cart Admin.
  • Injection Protection Patch September 19, 2008 – A vulnerability in Zen Cart has been identified which could potentially allow rogue behavior if the site has magic_quotes_gpc turned off in their server/site’s PHP settings.
  • Admin Security Patch June 19, 2009 – A vulnerability has been discovered in the admin section of v1.3.8 (and previous versions). To take advantage of this vulnerability any attacker must know the URL of your admin section. As our security recommendations point out, you should change the folder that your admin resides in as soon as you installed Zen Cart.
  • PCI Patch for Low Priority Warnings on Search June 27, 2009 – There are some reports of sites failing PCI scans due to an error message that can appear on the search screen if someone attempts to do a SQL injection attack. While the attack fails, an error message appears which, to the purists, discloses the name of the database table and thus gets flagged as a problem. While it’s a minor issue and poses no actual direct vulnerability, the PCI scan will fail. Patch updated for new PCI scan failure issue, 11/20/2009. Update your patch.
  • noindex, nofollow Meta Robots Tag in Main Page Header Preventing Indexing of Main Page – Bug in v1.3.8 which only shows when you have Admin->Configuration->Layout Settings->Categories – Always Show on Main Page = 1
  • Categories Meta Tags cannot be removed once added – Once added category custom Meta tags cannot be removed.
  • Product Meta Tag leaving blank record
  • Back Button Returns to Home Page Instead – Back button not working in some instances and you go to the home page vs the last page
  • Typed Text Deleted in Field When reaching Max Characters – TEXT Attributes set to TEXTAREA with a limit on number of characters will delete the initially typed text when the maximum number of characters has been reached.
  • queryFactory error on PHP5 in banner_monthly.php – This bug isn’t unique to v1.3.8 (has existed for many versions) but only shows in PHP5.
  • Minimum Processing of Attributes – Minimum is not processing with attributes properly when added to cart … also affects quantity discounts on mixed.
  • Product & Category Lookups Issue – Looking up fields in products and products_description and looking up fields in categories and categories_description.
  • Product & Category Lookups Issue in Admin – Lookup of fields in products or products_description by products_id in the Admin.
  • ot_gv shows MySQL error when redeeming invalid GV code – Attempting to redeem a gift certificate using an invalid code can cause a MySQL error to appear.
  • Security Alert: Remove extra folders from your server after install 11/28/2009- In a standard Zen Cart install, there are a few additional folders provided which DO NOT need to be uploaded to your live webserver.
    In fact, leaving the files in those folders on your server can pose some security risks if not used as intended.
    While most of the risks are minor in that attempting to access some of those files/scripts/documentation could reveal some information about your server which might allow more sophisticated hack “probing” to occur, there are some more significant risks including unauthorized access to information on your server or even “accidental” wipe of your whole database in the case of the zc_install folder being left online.
  • XSS or CSRF Protection Patch 11/30/2009 – While XSS or CSRF attacks are difficult to trigger and may not manifest very often, it is still important to protect against the ill effects which could be caused by them.
  • **NEW USPS has updated their code for January 4, 2010 – A Zip file is available for v1.3.8 for the RateV3 and new USPS shipping methods. You will need to do a REMOVE, INSTALL and Configure for the changes to take effect, so write your settings down first.

Conditional Patches & Fixes

As you should already know, keeping your website software completely up to date is a PCI requirement, not an option. I have compiled this list, and will update it as I can to help you achieve PCI compliance and a secure Zen Cart.

Tags: , , , , , , , , , , , , , , , , , , , , ,

3 Responses to “Zen Cart 1.3.8 Bug Fixes”

  1.  Zen Cart Marketing Says:

    […] and absolutely foremost, you MUST apply the proper security patches and keep your Zen Cart software up to date. This is in no way […]

  2.  Zen Cart SEO - 12 Steps to Success | E-Commerce for All Says:

    […] your Zen Cart software patched and up to date. This is not only a requirement for PCI compliance, but getting hacked is not good for any […]

  3.  Helpful Security Extras for Zen Cart | E-Commerce for All Says:

    […] Cart SecurityFirst and foremost make sure your Zen Cart is fully patched! No exceptions. Your Zen Cart you just downloaded and installed still needs […]

Template Original