We have compiled a list of the bug & security fixes you should be concerned with fixing on your 1.3.8 Zen Cart and those that are conditional, either by reported error or need. Please note that you should be subscribed to the Zen Cart 1.3.8 Bug Fixes thread & the Zen Cart Releases & Announcements thread for security and release patches & updates.
Required Zen Cart 1.3.8 Bug & Security Fixes
- Admin Security Patch June 12, 2008 – A security vulnerability in Zen Cart v1.3.x was announced on a few Security Forums (10-JUL-2008). This purported to be a Local File Inclusion vulnerability in 2 scripts in the Zen Cart Admin.
- Injection Protection Patch September 19, 2008 – A vulnerability in Zen Cart has been identified which could potentially allow rogue behavior if the site has magic_quotes_gpc turned off in their server/site’s PHP settings.
- Admin Security Patch June 19, 2009 – A vulnerability has been discovered in the admin section of v1.3.8 (and previous versions). To take advantage of this vulnerability any attacker must know the URL of your admin section. As our security recommendations point out, you should change the folder that your admin resides in as soon as you installed Zen Cart.
- PCI Patch for Low Priority Warnings on Search June 27, 2009 – There are some reports of sites failing PCI scans due to an error message that can appear on the search screen if someone attempts to do a SQL injection attack. While the attack fails, an error message appears which, to the purists, discloses the name of the database table and thus gets flagged as a problem. While it’s a minor issue and poses no actual direct vulnerability, the PCI scan will fail. Patch updated for new PCI scan failure issue, 11/20/2009. Update your patch.
- noindex, nofollow Meta Robots Tag in Main Page Header Preventing Indexing of Main Page – Bug in v1.3.8 which only shows when you have Admin->Configuration->Layout Settings->Categories – Always Show on Main Page = 1
- Categories Meta Tags cannot be removed once added – Once added category custom Meta tags cannot be removed.
- Product Meta Tag leaving blank record
- Back Button Returns to Home Page Instead – Back button not working in some instances and you go to the home page vs the last page
- Typed Text Deleted in Field When reaching Max Characters – TEXT Attributes set to TEXTAREA with a limit on number of characters will delete the initially typed text when the maximum number of characters has been reached.
- queryFactory error on PHP5 in banner_monthly.php – This bug isn’t unique to v1.3.8 (has existed for many versions) but only shows in PHP5.
- Minimum Processing of Attributes – Minimum is not processing with attributes properly when added to cart … also affects quantity discounts on mixed.
- Product & Category Lookups Issue – Looking up fields in products and products_description and looking up fields in categories and categories_description.
- Product & Category Lookups Issue in Admin – Lookup of fields in products or products_description by products_id in the Admin.
- ot_gv shows MySQL error when redeeming invalid GV code – Attempting to redeem a gift certificate using an invalid code can cause a MySQL error to appear.
- Security Alert: Remove extra folders from your server after install 11/28/2009- In a standard Zen Cart install, there are a few additional folders provided which DO NOT need to be uploaded to your live webserver.
In fact, leaving the files in those folders on your server can pose some security risks if not used as intended.
While most of the risks are minor in that attempting to access some of those files/scripts/documentation could reveal some information about your server which might allow more sophisticated hack “probing” to occur, there are some more significant risks including unauthorized access to information on your server or even “accidental” wipe of your whole database in the case of the zc_install folder being left online. - XSS or CSRF Protection Patch 11/30/2009 – While XSS or CSRF attacks are difficult to trigger and may not manifest very often, it is still important to protect against the ill effects which could be caused by them.
- **NEW USPS has updated their code for January 4, 2010 – A Zip file is available for v1.3.8 for the RateV3 and new USPS shipping methods. You will need to do a REMOVE, INSTALL and Configure for the changes to take effect, so write your settings down first.
Conditional Patches & Fixes
- USPS Patch May 12, 2008 – This is a patch update/fix for USPS changes to International package choices.
- Authorize.net August 21, 2008 – Authorize.net is making changes effective October 1, 2008 which affect the size of Transaction ID values returned when payments are processed. Use the supplied fix to lengthen your Authorize.net table to hold the longer transaction ID number.
- Update for Payflow and PayPal-UK users March 26, 2009 – Due to various technical requirements, PayPal is upgrading the Payflow system to do away with the naming of the Verisign roots from which the Payflow service was derived. This information must be acted on before August 31, 2009.
- PHP 4.3.2 vs admin login issues in v1.3.7.x and v1.3.8 – Inconsistency in how PHP 4.3.2 vs newer versions of PHP handle sessions, PHP 4.3.2 (specifically), cannot stay logged in to the admin area.
- Tax calculation logic for Gift Vouchers – Tax calculation logic for Gift Vouchers.
- Admin Category/Product Listing is not showing prices when Customer Authorization is set to 1 or 2 – Both of these will be fixed in v1.4 with a better arrangement of code.
- PayPal Website Payments Pro 10726 error with downloadable products – When doing checkout with Website Payments Pro and have only downloadable products in the cart (or otherwise don’t require shipping for anything), error 10726 appears.
10726 – Invalid Data – There’s an error with this transaction. Please enter a complete shipping address. - Editing Customer Records in Admin Causes DOB to be Zeroed – Symptom: customer date of birth gets erased when editing customer records from the admin page, if the minimum length for the DOB field is set to zero.
- Linkpoint API payment module problem if using low-order-fee module – If you are using the low-order-fee module and using Linkpoint/Yourpay API payment module in v1.3.8, you will encounter some errors when submitting payments for processing.
- Division by Zero warning in ot_group_pricing – On login page with something in your cart, you might see a “Division by zero” warning in module ot_group_pricing.php
- Admin: Catchable fatal error in html_output.php – In the admin area, when accessing pages that have pulldown menus on them, you might occasionally see a “catchable fatal error in html_output.php”. Happens only in PHP5
- Linkpoint Error SGS-020003: Invalid XML – “Invalid XML” errors when using the v1.3.8 LinkpointAPI payment module on orders which qualify for and select free-shipping.
- Fatal error: Cannot use object of type queryFactoryResult as array in /home/mysite/public_html/store/admin/includes/functions/general.php on line 2089 – When deleting “ALL attributes” for a given product via the Attributes Controller, AND the product has Download Files attached to it, the error appears.
- Tell a friend Emails linking to Incorrect Product Type – HTML-formatted emails generated by Tell-A-Friend always link to main default product-type. For example, if a product_music item was referenced, it would point to product_info instead of product_music_info in the URL.
- Error Unknown column ‘o.orders_id’ in ‘on clause’ occurs in the Admin Orders – Unknown column ‘o.orders_id’ in ‘on clause’ occurs in the Admin Orders screen when doing a search from the “Search by Product Name or ID:XX or Model” box (the standard “Search” box and Order ID searches work fine). This happens only on MySQL 5.0 and higher.
- LinkPoint API vs coupons – Using v1.3.8 and Linkpoint/yourpay API module along with a discount coupon would cause a SGS-002301 error to appear along with a message saying subtotals and charge total don’t match.
- Linkpoint API Rejecting Partial Quantities – Several issues have been fixed in the LinkpointAPI payment module since v1.3.8 was first released. They are summarized here, with an updated module file.
- Multiple Languages showing in What’s New sidebox
- $0.00 Gift Certificate balance in Admin Customers Display – In Admin customers display the right panel displays a $0.00 Gift Certificate balance when no order exists yet for a customer.
- Salemaker Issues w/ Linked Products – Sales made with Salemaker having trouble on some sales with Linked Products.
- Group Pricing vs Shipping Tax – VAT – Group Discount being applied to shipping for VAT purposes.
- PHP Fatal error: Call to a member function add() on a non-object in /includes/functions/functions_email.php on line 287 – PayPal Website Payments Standard transactions not completing properly and the following PHP error occurs while processing the IPN notification.
- PHP 5.3 Patch for Zen Cart – This patch released 11/09/2009 to resolve bugs and issue related with PHP 5.3X within Zen Cart. This is not a required patch for those running PHP less than 5.3, but the patch is backwards compatible for all PHP 4 and 5 versions.
As you should already know, keeping your website software completely up to date is a PCI requirement, not an option. I have compiled this list, and will update it as I can to help you achieve PCI compliance and a secure Zen Cart.
Tags: Admin Section, Attacker, Bug Fixes, Custom Meta Tags, Database Table, Error Message, Layout Settings, Meta Robots, Nofollow, Page Header, PHP 5.3, Previous Versions, Purists, Release Patches, Search Screen, Security Fixes, Security Forums, Security Patch, Security Recommendations, Security Vulnerability, Sql Injection, Zen Cart
July 31st, 2009 at 9:58 pm
[…] and absolutely foremost, you MUST apply the proper security patches and keep your Zen Cart software up to date. This is in no way […]
September 10th, 2009 at 6:40 pm
[…] your Zen Cart software patched and up to date. This is not only a requirement for PCI compliance, but getting hacked is not good for any […]
March 12th, 2010 at 2:40 pm
[…] Cart SecurityFirst and foremost make sure your Zen Cart is fully patched! No exceptions. Your Zen Cart you just downloaded and installed still needs […]