Yesterday, we identified a PCI scanning issue for Zen Cart. Backbone Security, provides our PCI scanning and helped us to isolate and understand the following PCI scan Level 5 failure.
Vulnerability: CGI Generic SQL Injection Vulnerability
Category: http (80/tcp)
Security Level: 5
A web application is potentially vulnerable to SQL injection.
By providing specially crafted parameters to CGIs, Nessus was able to get an error from the underlying database. This error suggests that the CGI is affected by a SQL injection vulnerability. An attacker may exploit this flaw to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system.
We immediately made the information available to the Zen Cart development team who responded with a patched solution within an hour.
PCI Scans – Patch for Zen Cart
In order to resolve this issue you will need to get the new patch,and install it. This patch replaces the existing patch released in June of 2009 for 1.3.X Zen Carts, in to the following path…
While it has been expressed that this issue caused no real vulnerability, it will cause a PCI scan failure by producing an error screen… which causes the scan failure for the PCI level 5 above.
The issue was causing the code to loop thru sort options but even though it never found a valid one, it gives the SQL error because the “order by” statement is added without an actual order-by field. It’s not an actual vulnerability, because the hack attempt is killed by the built-in sanitization. However, the SQL error that occurs is not trapped properly.
2 Responses to “Zen Cart PCI Scan Patch – New”
Leave a Reply
You must be logged in to post a comment.