Critical Zen Cart Vulnerability Could Spell Black Friday Disaster For Shoppers

Mark Wilson writes: It's around this time of year, with Black Friday looming and Christmas just around the corner, that online sales boom. Today security firm High-Tech Bridge has issued a warning to retailers and shoppers about a critical vulnerability in the popular Zen Cart shopping management system. High-Tech Bridge has provided Zen Cart with full details of the security flaw which could allow remote attackers to infiltrate web servers and gain access to customer data. Servers running Zen Cart are also at risk of malware, meaning that hundreds of thousands of ecommerce sites pose a potential danger. Technical details of the vulnerability are not yet being made public, but having notified Zen Cart of the issue High-Tech Bridge says the date of full public disclosure is 16 December.

Further proof the web model blows

All I keep seeing day in and day out are how buggy the crap you webchumps make is and the frameworks you use too. Nearly every single day the news shows it.

Re:Further proof the web model blows

[ooshna]

And yet you continue to use the web...

Re:Further proof the web model blows

web model is fine; on the other hand php sucks.

Re: Further proof the web model blows

OK, I'll bite. What do you consider to be better than php?

Re: Further proof the web model blows

[TechyImmigrant]

OK, I'll bite. What do you consider to be better than php?

I coded the payment system on our store's website in python CGI scripts. Keep it simple first. It helps that I'm a crypto security type engineer for a big techy company in my day job, so it's not a challenge to bake in defense in depth. It sucks when PCI-DSS scans ding you for insecure versions after their probe finds my honeypot.

Re: Further proof the web model blows

Defense in depth is, by definition, not simply "baked in". Don't kid yourself, what you did was only once piece of a very large puzzle.

Honeypots on a network with software that is running on the network is a vulnerability. Differing versions of the same software on a network can lead to leapfrogging, reflection, and worse. Imagine if someone knows full well it's a honeypot (outdated and new version on same network gives that away) they could compromise the honeypot, mimic the production server, then DOS the rest, email alerts and all. Then all your processing information is out the door.

The people that "dinged" you for your theatrics were right in doing so.

Re: Further proof the web model blows

[John+Da'+Baddest]

Too many assumptions here. Presumably the honeypot is full of false data delivering nonsense alerts to nowhere, and the owner is aware when it's compromised. That's what it's for. Of course, if you assume that hackers take over your entire data center at all 7 OSI layers, it really doesn't matter what defenses you have in place.

Re: Further proof the web model blows

[TechyImmigrant]

The honeypot is a simple way to identify an attack source. It's only one thing. As for any defense-in-depth structure, the failure of one thing doesn't compromise the whole. Preferably the failure of several things doesn't compromise the whole.

If you think there is anything to do with security in the PCI-DSS specs, you are sadly mistaken. They are a pile of poo.

Re: Further proof the web model blows

[JustAnotherOldGuy]

I coded the payment system on our store's website in python CGI scripts.

You can write secure code or insecure code in any language. You haven't shown anything that proves PHP itself is less secure than Python or Perl or ASP or $favorite_language.

I've written hundreds of thousands of lines of PHP and I put security as my primary concern. None of them have been hacked because I rigorously sanitize data and don't allow users to access things they shouldn't. Yes, it's a bit of a pain to try and cover every conceivable attack vector, but you can write secure code in PHP just as you can in any language. It's not the language, it's the implementation of the code you write.

Re: Further proof the web model blows

Anything that doesn't actively encourage SQL injection attacks.

If you have to know the inner workings of a language API to avoid SQL injection attacks, it's crap.

Re: Further proof the web model blows

[TechyImmigrant]

I coded the payment system on our store's website in python CGI scripts.

You can write secure code or insecure code in any language. You haven't shown anything that proves PHP itself is less secure than Python or Perl or ASP or $favorite_language.

I've written hundreds of thousands of lines of PHP and I put security as my primary concern. None of them have been hacked because I rigorously sanitize data and don't allow users to access things they shouldn't. Yes, it's a bit of a pain to try and cover every conceivable attack vector, but you can write secure code in PHP just as you can in any language. It's not the language, it's the implementation of the code you write.

I was answering the question as asked, not filling in the details to satisfy your curiosity.
The relevant bit is attack surface and the reduction thereof, by doing things outside the memory space of the web server and passing all data through a well controlled pipe. You might be able to write secure code in PHP. But the language is largely irrelevant to the method of attack surface reduction I was employing that I was referring to, whereas CGI is. Old school, simple, separated.

Re: Further proof the web model blows

[JustAnotherOldGuy]

But the language is largely irrelevant to the method of attack surface reduction I was employing that I was referring to

And that was my point entirely.

Re:Further proof the web model blows

Do we have a choice? His point stands strong no matter what bullshit goof stooge incompetents like you webchumps say: Your shit blows.

Re: Further proof the web model blows

[TechyImmigrant]

But the language is largely irrelevant to the method of attack surface reduction I was employing that I was referring to

And that was my point entirely.

But not a contradiction of mine, which is how you cast it.

High-Tech assholes!

High-Tech assholes want to make a name for themselves. I bet they've been sitting on this just waiting for this time of year.

Re:High-Tech assholes!

High-Tech assholes want to make a name for themselves. I bet they've been sitting on this just waiting for this time of year.

My first thought too.

First

First?!?! FIRST POST

see something

[turkeydance]

say something. don't ask, don't tell. bacon is bad. now what was that again?

Re:see something

Eat bacon and multiply. Everything else is secondary.

More like ....

[drpimp]

Hack Friday ... amirite?

shit php/MySQL

More shit php/MySQL.

php & MySQL so easy to use any dumb-fucker can use them without reading the manual.

Do you really want a dumb fucker who doesn't read the manual writing your e-commerce site?

Re:shit php/MySQL

I sense much ass hurt from a php/MySQL developer.

lol

I don't know about zen cart, but it's based on osCommerce which is a nasty piece of shit.

Re:lol

[TechyImmigrant]

I don't know about zen cart, but it's based on osCommerce which is a nasty piece of shit.

I tried to use it. Learn from my experience. Don't.

The latest version as well?

[LewekLeonek]

According to the original source (https://www.htbridge.com/advisory/HTB23282) the security issue affects versions 1.5.3 "and probably prior" (you gotta love the wording). When I looked at the Zen Cart site today v1.5.4 has been out for almost a year. Now someone else please take it from here...

Re:The latest version as well?

heh, and how many websites get updated? If it ain't hacked yet... well, don't look... we don't want to upgrade.

Re: The latest version as well?

[BarbaraHudson]

Most of the people running zencart are probably going to have to wait until their hosting provider supplies a one-click upgrade, same as Android users had to wait for their phone company to push out the upgrade that took care of stagefright, heartblead, etc.

Re:The latest version as well?

[TechyImmigrant]

heh, and how many websites get updated? If it ain't hacked yet... well, don't look... we don't want to upgrade.

It is the norm for these frameworks that the installation involves fifteen pages of "put that there, set that permission, put this in the apache config, install this pre-req". Tomato Cart and Zen Cart, I'm looking at you.

By the time you finally get it running, it seems like you have a massively fragile configuration consisting of many small changes. The idea of dropping an upgraded codebase on that is akin to saying "Your website will go down for a week while you get it running again, because that's how long it took you last time".

What is needed for a fix is instructions to "Change this line to say this" in your existing codebase. So you can make a minimally invasive change.

Re:The latest version as well?

It's not just that, the upgrade procedure is basically: Do a clean install then manually re-apply any customizations.

It really is a massive amount of work to upgrade it.

Re: The latest version as well?

[_merlin]

What's behind changing your sig from the previous LGBTt line to the current one that completely dissociates t from LGBT? Just curious.

Re:The latest version as well?

[ElBeano]

Not every upgrade, but far too many are just like this ^.

Re: The latest version as well?

fags are stupid and need to die and the trannies don't want to be associated with their toxic culture?

Re: The latest version as well?

[BarbaraHudson]

Gays, Lesbians, and Bisexuals are about sexual practices. Transgendered is a bastardized term that includes cross-dressers and drag queens, which is a sexual fetish (not that I'm criticizing this, to each their own, etc). Unfortunately, even in the LGBT, many people think that transsexuals are really just gay cross-dressers. This attitude comes from the top down, as many of the influential LGBT organizations are directed exclusively by gay white men.

They don't get that transsexuals are different - live brain scans have proven that our brains resemble our target gender both in sexually dimorphic areas, and in the overall networking. Even the general public is often more enlightened ,,, sheesh! When they argue that they've helped transsexuals by having drag queens on their floats, it's way past time to take them seriously.

Not that I ever had contact with any LGBT groups - didn't need to deal with their crap in addition to my own :-) But I see others buying into the whole "you need to let us keep you safe in our gay ghetto because it's a safe space where we all can live authentic lives" bullcrap. Sure, I've known a few gays and lesbians, but that doesn't mean that I need their weird brand of withdraw-from-the-world protection - I leave that to the cults.

We achieved social acceptance long before gays came out of the closet - Christine Jorgensen is a good example of early fame and fortune. We got this reception because the vast majority of people are curious. It was only when the gay rights movement came out and started rioting that we got caught in the back-splash of religious intolerance. So, in a way, they've been riding our coat-tails to a certain extent. After all, we could marry in our target gender without enabling legislation, they couldn't.

The worst part is, if you say any of this, "you're harming the community." My message to them is "You're not my community. My community is family, friends, neighbors, acquaintances ... without respect to color, ethnic origin, sex, sexual orientation, gender, physical or mental illness, etc ...." Rather than hiding in a gay ghetto because I need protection to live an authentic life (btw - how the heck do you live an authentic life when you're so paranoid about the rest of the world???) I help shape the world around me to be my "safe space" - for everyone.

I also don't like the bogus "self-affirming" games that transsexuals in the LGBT movement play ... the latest one was "this year we should all wear purple to mark the Transgender Day of Remembrance." A pretty safe thing to do because nobody outside their little group even knows what it signifies ... and if it ever gets to the point where people do, will they be pressured to out themselves by cooperating? This is slacktivism. Why not wear a T-shirt that says "Yes, I am a transsexual. Any questions for me?" and a big smiley face to invite discussion. I'd wear it to the mall ... but them? "Oh noes!" "Too dangerous!" They wouldn't dare take any action to pay it forward in memory of those who fought for our rights before us. No wonder they feel they have to hide in the gay ghetto to have their "safe spaces" and lead their circumscribed "authentic lives." Deep down, they are ashamed.

Stockholm Syndrome is what it is.

Re: The latest version as well?

[BarbaraHudson]

I have no problem with gays, lesbians, bisexuals, drag queens, whatever - except that their attitude towards us is like a useless appendage - handy to drag out when it gains "the community" something, but otherwise ignored, or worse, blurring the line between cross-dressers, etc., and transsexuals, helping perpetuate the myth that transsexuals are really gay men in dresses.

Toxic? You betcha! "Chuck you Farley Brown! I don't need you to tell me what I am or how to live my life" is probably a pretty muted response.

Re: The latest version as well?

[_merlin]

Thanks for taking the time to answer in detail about your thoughts on the issue.

Re: The latest version as well?

[BarbaraHudson]

You're welcome. The full answer is much more complex, involves going into a lot of details, etc ... I'll probably do a journal entry on it at some point. :-)

PHP: Secure Your Site Like It's 2004

We don't need to escape strings, because back in 2005 we wrote a regex that checks for SQL injection attacks. It worked with all five examples we threw at it, which is basically test driven development.

I can spell it fine all by my self

D-I-S-A-S-T-E-R

How will Russia celebrate Thanksgiving?

[12WTF$]

Roast Turkey, of course.

How can you tell?

[freeze128]

Zencart? How is a typical shopper supposed to know if the online retailer that they are using is using the Zencart system?

Re:How can you tell?

https://www.zen-cart.com/showcase.php

Not the most succinct way to go about it but the big ones are on there.

Re:How can you tell?

[drgould]

In the default configuration the phrase "Powered by Zencart" appears at the bottom of each page.

Also, the default Zencart themes and icons are unmistakable if you know what they look like.

Re:How can you tell?

[kervin]

Well, for example you can use builtwith.com. E.g. http://builtwith.com/adafruit.com

Re:How can you tell?

[Gravis+Zero]

It's actually pretty obvious if they are using Zen Cart. Instead of a "checkout" button it has a "continue the cycle" button. ;)

Re:How can you tell?

https://wappalyzer.com is really good for showing what tech a website is running. Browser extensions for Firefox, Chrome and Opera. A Bookmarklet for other browsers.

Business Study

Critical Zen Cart Vulnerability Could Spell Black Friday Disaster For Shoppers. This a great online sales boom. I really enjoy this post.

Zen Cart is a mess

[JustAnotherOldGuy]

The Zen Cart code is a mess, and I'm not surprised that it has vulnerabilities.

XCart seems much better, but it's a monster codebase. It probably has some vulnerabilities too.

Re:Zen Cart is a mess

[keko]

ZenCart is as awful as WordPress, but with credit cards.

Re:Zen Cart is a mess

[JustAnotherOldGuy]

ZenCart is as awful as WordPress, but with credit cards.

Not to worry, WordPress has plenty of plugins that will allow you to insecurely use your credit card in ways that would make a hacker dance with joy.

Re:Zen Cart is a mess

ZenCart is better! Comes fraud-enabled by default, no plugins!

Re:Zen Cart is a mess

AGREE!!! Zen cart code is clean and well documented. it is up to the user, ... to make a mess of it ... (Zen Cart Dev. since 2008!)

Re:Zen Cart is a mess

[Ice+Station+Zebra]

Of course it is, it was based off of oscommerce another steaming pile of phpshit.

Great timing.

I am sure they just happened to discover the flaw at this time. It's not like they where sitting on the discovery, releasing the warning at maximum point of hysteria..

Citation, Please?

[brentlaminack]

Could somebody post the original article that this post summarizes? e.g. Where can we get further information?

Re:Citation, Please?

It's in the summary title

Not shopping

[tompaulco]

Because of this, or in spite of this, or regardless of this (choose one), I will not be doing any black Friday shopping. I choose not to commemorate the anniversary of the collapse of gold prices in the stock market.

"His" point?

you both said "webchumps", are you have a bout of schizophrenia again?

POC please?

I want to own some retards running php

ZenCart Patch Already on their forum...

[MindlessGenius]

No panic... a patch is out already.

In Zen Cart v1.5.4 the /ajax.php file has a vulnerability which can be used to cause a server exploit under very specific conditions.

The patch is simple: replace the /ajax.php file with the one attached below.

https://www.zen-cart.com/showt...