Critical Zen Cart Vulnerability Could Spell Black Friday Disaster For Shoppers

Mark Wilson writes: It's around this time of year, with Black Friday looming and Christmas just around the corner, that online sales boom. Today security firm High-Tech Bridge has issued a warning to retailers and shoppers about a critical vulnerability in the popular Zen Cart shopping management system. High-Tech Bridge has provided Zen Cart with full details of the security flaw which could allow remote attackers to infiltrate web servers and gain access to customer data. Servers running Zen Cart are also at risk of malware, meaning that hundreds of thousands of ecommerce sites pose a potential danger. Technical details of the vulnerability are not yet being made public, but having notified Zen Cart of the issue High-Tech Bridge says the date of full public disclosure is 16 December.

see something

[turkeydance]

say something. don't ask, don't tell. bacon is bad. now what was that again?

More like ....

[drpimp]

Hack Friday ... amirite?

Re:High-Tech assholes!

High-Tech assholes want to make a name for themselves. I bet they've been sitting on this just waiting for this time of year.

My first thought too.

The latest version as well?

[LewekLeonek]

According to the original source (https://www.htbridge.com/advisory/HTB23282) the security issue affects versions 1.5.3 "and probably prior" (you gotta love the wording). When I looked at the Zen Cart site today v1.5.4 has been out for almost a year. Now someone else please take it from here...

Re: The latest version as well?

[BarbaraHudson]

Most of the people running zencart are probably going to have to wait until their hosting provider supplies a one-click upgrade, same as Android users had to wait for their phone company to push out the upgrade that took care of stagefright, heartblead, etc.

Re:The latest version as well?

[TechyImmigrant]

heh, and how many websites get updated? If it ain't hacked yet... well, don't look... we don't want to upgrade.

It is the norm for these frameworks that the installation involves fifteen pages of "put that there, set that permission, put this in the apache config, install this pre-req". Tomato Cart and Zen Cart, I'm looking at you.

By the time you finally get it running, it seems like you have a massively fragile configuration consisting of many small changes. The idea of dropping an upgraded codebase on that is akin to saying "Your website will go down for a week while you get it running again, because that's how long it took you last time".

What is needed for a fix is instructions to "Change this line to say this" in your existing codebase. So you can make a minimally invasive change.

Re:The latest version as well?

It's not just that, the upgrade procedure is basically: Do a clean install then manually re-apply any customizations.

It really is a massive amount of work to upgrade it.

Re: The latest version as well?

[_merlin]

What's behind changing your sig from the previous LGBTt line to the current one that completely dissociates t from LGBT? Just curious.

Re:The latest version as well?

[ElBeano]

Not every upgrade, but far too many are just like this ^.

Re: The latest version as well?

[BarbaraHudson]

Gays, Lesbians, and Bisexuals are about sexual practices. Transgendered is a bastardized term that includes cross-dressers and drag queens, which is a sexual fetish (not that I'm criticizing this, to each their own, etc). Unfortunately, even in the LGBT, many people think that transsexuals are really just gay cross-dressers. This attitude comes from the top down, as many of the influential LGBT organizations are directed exclusively by gay white men.

They don't get that transsexuals are different - live brain scans have proven that our brains resemble our target gender both in sexually dimorphic areas, and in the overall networking. Even the general public is often more enlightened ,,, sheesh! When they argue that they've helped transsexuals by having drag queens on their floats, it's way past time to take them seriously.

Not that I ever had contact with any LGBT groups - didn't need to deal with their crap in addition to my own :-) But I see others buying into the whole "you need to let us keep you safe in our gay ghetto because it's a safe space where we all can live authentic lives" bullcrap. Sure, I've known a few gays and lesbians, but that doesn't mean that I need their weird brand of withdraw-from-the-world protection - I leave that to the cults.

We achieved social acceptance long before gays came out of the closet - Christine Jorgensen is a good example of early fame and fortune. We got this reception because the vast majority of people are curious. It was only when the gay rights movement came out and started rioting that we got caught in the back-splash of religious intolerance. So, in a way, they've been riding our coat-tails to a certain extent. After all, we could marry in our target gender without enabling legislation, they couldn't.

The worst part is, if you say any of this, "you're harming the community." My message to them is "You're not my community. My community is family, friends, neighbors, acquaintances ... without respect to color, ethnic origin, sex, sexual orientation, gender, physical or mental illness, etc ...." Rather than hiding in a gay ghetto because I need protection to live an authentic life (btw - how the heck do you live an authentic life when you're so paranoid about the rest of the world???) I help shape the world around me to be my "safe space" - for everyone.

I also don't like the bogus "self-affirming" games that transsexuals in the LGBT movement play ... the latest one was "this year we should all wear purple to mark the Transgender Day of Remembrance." A pretty safe thing to do because nobody outside their little group even knows what it signifies ... and if it ever gets to the point where people do, will they be pressured to out themselves by cooperating? This is slacktivism. Why not wear a T-shirt that says "Yes, I am a transsexual. Any questions for me?" and a big smiley face to invite discussion. I'd wear it to the mall ... but them? "Oh noes!" "Too dangerous!" They wouldn't dare take any action to pay it forward in memory of those who fought for our rights before us. No wonder they feel they have to hide in the gay ghetto to have their "safe spaces" and lead their circumscribed "authentic lives." Deep down, they are ashamed.

Stockholm Syndrome is what it is.

Re: The latest version as well?

[BarbaraHudson]

I have no problem with gays, lesbians, bisexuals, drag queens, whatever - except that their attitude towards us is like a useless appendage - handy to drag out when it gains "the community" something, but otherwise ignored, or worse, blurring the line between cross-dressers, etc., and transsexuals, helping perpetuate the myth that transsexuals are really gay men in dresses.

Toxic? You betcha! "Chuck you Farley Brown! I don't need you to tell me what I am or how to live my life" is probably a pretty muted response.

Re: The latest version as well?

[_merlin]

Thanks for taking the time to answer in detail about your thoughts on the issue.

Re: The latest version as well?

[BarbaraHudson]

You're welcome. The full answer is much more complex, involves going into a lot of details, etc ... I'll probably do a journal entry on it at some point. :-)

Re:Further proof the web model blows

[ooshna]

And yet you continue to use the web...

How will Russia celebrate Thanksgiving?

[12WTF$]

Roast Turkey, of course.

How can you tell?

[freeze128]

Zencart? How is a typical shopper supposed to know if the online retailer that they are using is using the Zencart system?

Re:How can you tell?

https://www.zen-cart.com/showcase.php

Not the most succinct way to go about it but the big ones are on there.

Re:How can you tell?

[drgould]

In the default configuration the phrase "Powered by Zencart" appears at the bottom of each page.

Also, the default Zencart themes and icons are unmistakable if you know what they look like.

Re:How can you tell?

[kervin]

Well, for example you can use builtwith.com. E.g. http://builtwith.com/adafruit.com

Re:How can you tell?

[Gravis+Zero]

It's actually pretty obvious if they are using Zen Cart. Instead of a "checkout" button it has a "continue the cycle" button. ;)

Re: Further proof the web model blows

[TechyImmigrant]

OK, I'll bite. What do you consider to be better than php?

I coded the payment system on our store's website in python CGI scripts. Keep it simple first. It helps that I'm a crypto security type engineer for a big techy company in my day job, so it's not a challenge to bake in defense in depth. It sucks when PCI-DSS scans ding you for insecure versions after their probe finds my honeypot.

Re:lol

[TechyImmigrant]

I don't know about zen cart, but it's based on osCommerce which is a nasty piece of shit.

I tried to use it. Learn from my experience. Don't.

Re: Further proof the web model blows

[John+Da'+Baddest]

Too many assumptions here. Presumably the honeypot is full of false data delivering nonsense alerts to nowhere, and the owner is aware when it's compromised. That's what it's for. Of course, if you assume that hackers take over your entire data center at all 7 OSI layers, it really doesn't matter what defenses you have in place.

Re: Further proof the web model blows

[TechyImmigrant]

The honeypot is a simple way to identify an attack source. It's only one thing. As for any defense-in-depth structure, the failure of one thing doesn't compromise the whole. Preferably the failure of several things doesn't compromise the whole.

If you think there is anything to do with security in the PCI-DSS specs, you are sadly mistaken. They are a pile of poo.

Re: Further proof the web model blows

[JustAnotherOldGuy]

I coded the payment system on our store's website in python CGI scripts.

You can write secure code or insecure code in any language. You haven't shown anything that proves PHP itself is less secure than Python or Perl or ASP or $favorite_language.

I've written hundreds of thousands of lines of PHP and I put security as my primary concern. None of them have been hacked because I rigorously sanitize data and don't allow users to access things they shouldn't. Yes, it's a bit of a pain to try and cover every conceivable attack vector, but you can write secure code in PHP just as you can in any language. It's not the language, it's the implementation of the code you write.

Zen Cart is a mess

[JustAnotherOldGuy]

The Zen Cart code is a mess, and I'm not surprised that it has vulnerabilities.

XCart seems much better, but it's a monster codebase. It probably has some vulnerabilities too.

Re:Zen Cart is a mess

[keko]

ZenCart is as awful as WordPress, but with credit cards.

Re:Zen Cart is a mess

[JustAnotherOldGuy]

ZenCart is as awful as WordPress, but with credit cards.

Not to worry, WordPress has plenty of plugins that will allow you to insecurely use your credit card in ways that would make a hacker dance with joy.

Re:Zen Cart is a mess

[Ice+Station+Zebra]

Of course it is, it was based off of oscommerce another steaming pile of phpshit.

Re: Further proof the web model blows

[TechyImmigrant]

I coded the payment system on our store's website in python CGI scripts.

You can write secure code or insecure code in any language. You haven't shown anything that proves PHP itself is less secure than Python or Perl or ASP or $favorite_language.

I've written hundreds of thousands of lines of PHP and I put security as my primary concern. None of them have been hacked because I rigorously sanitize data and don't allow users to access things they shouldn't. Yes, it's a bit of a pain to try and cover every conceivable attack vector, but you can write secure code in PHP just as you can in any language. It's not the language, it's the implementation of the code you write.

I was answering the question as asked, not filling in the details to satisfy your curiosity.
The relevant bit is attack surface and the reduction thereof, by doing things outside the memory space of the web server and passing all data through a well controlled pipe. You might be able to write secure code in PHP. But the language is largely irrelevant to the method of attack surface reduction I was employing that I was referring to, whereas CGI is. Old school, simple, separated.

Citation, Please?

[brentlaminack]

Could somebody post the original article that this post summarizes? e.g. Where can we get further information?

Re: Further proof the web model blows

[JustAnotherOldGuy]

But the language is largely irrelevant to the method of attack surface reduction I was employing that I was referring to

And that was my point entirely.

Not shopping

[tompaulco]

Because of this, or in spite of this, or regardless of this (choose one), I will not be doing any black Friday shopping. I choose not to commemorate the anniversary of the collapse of gold prices in the stock market.

Re: Further proof the web model blows

[TechyImmigrant]

But the language is largely irrelevant to the method of attack surface reduction I was employing that I was referring to

And that was my point entirely.

But not a contradiction of mine, which is how you cast it.