Zen Cart PCI Scan Patch – New

By Melanie Prough on Friday, November 20, 2009
Filed Under: Zen Cart News












Yesterday, we identified a PCI scanning issue for Zen Cart. Backbone Security, provides our PCI scanning and helped us to isolate and understand the following PCI scan Level 5 failure.

Vulnerability: CGI Generic SQL Injection Vulnerability
Category: http (80/tcp)
Security Level: 5
Synopsis :
A web application is potentially vulnerable to SQL injection.
Description :
By providing specially crafted parameters to CGIs, Nessus was able to get an error from the underlying database. This error suggests that the CGI is affected by a SQL injection vulnerability. An attacker may exploit this flaw to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system.

We immediately made the information available to the Zen Cart development team who responded with a patched solution within an hour.

PCI Scans – Patch for Zen Cart

In order to resolve this issue you will need to get the new patch,and install it. This patch replaces the existing patch released in June of 2009 for 1.3.X Zen Carts, in to the following path…

/includes/extra_configures/pci_patch_v13x_search.php

While it has been expressed that this issue caused no real vulnerability, it will cause a PCI scan failure by producing an error screen… which causes the scan failure for the PCI level 5 above.

The issue was causing the code to loop thru sort options but even though it never found a valid one, it gives the SQL error because the “order by” statement is added without an actual order-by field. It’s not an actual vulnerability, because the hack attempt is killed by the built-in sanitization. However, the SQL error that occurs is not trapped properly.

Tags: , , , , , , , ,

2 Responses to “Zen Cart PCI Scan Patch – New”

  1.  Zen Cart Marketing Says:

    […] minor issue and poses no actual direct vulnerability, the PCI scan will fail. Patch updated for new PCI scan failure issue, 11/20/2009. Update your […]

  2.  Tweets that mention Zen Cart Marketing -- Topsy.com Says:

    […] This post was mentioned on Twitter by PRO-Webs, Inc, PRO-Webs, Inc. PRO-Webs, Inc said: RT @prowebs Zen Cart Marketing http://bit.ly/44R9Il […]

Template Original