Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Zen Cart Vulnerability Could Spell Black Friday Disaster For Shoppers (htbridge.com)

Posted by samzenpus on from the protect-ya-neck dept.

Mark Wilson writes: It's around this time of year, with Black Friday looming and Christmas just around the corner, that online sales boom. Today security firm High-Tech Bridge has issued a warning to retailers and shoppers about a critical vulnerability in the popular Zen Cart shopping management system. High-Tech Bridge has provided Zen Cart with full details of the security flaw which could allow remote attackers to infiltrate web servers and gain access to customer data. Servers running Zen Cart are also at risk of malware, meaning that hundreds of thousands of ecommerce sites pose a potential danger. Technical details of the vulnerability are not yet being made public, but having notified Zen Cart of the issue High-Tech Bridge says the date of full public disclosure is 16 December.

9 of 59 comments (clear)

  1. The latest version as well? by LewekLeonek · · Score: 2

    According to the original source (https://www.htbridge.com/advisory/HTB23282) the security issue affects versions 1.5.3 "and probably prior" (you gotta love the wording). When I looked at the Zen Cart site today v1.5.4 has been out for almost a year. Now someone else please take it from here...

    1. Re: The latest version as well? by BarbaraHudson · · Score: 3, Insightful

      Most of the people running zencart are probably going to have to wait until their hosting provider supplies a one-click upgrade, same as Android users had to wait for their phone company to push out the upgrade that took care of stagefright, heartblead, etc.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    2. Re: The latest version as well? by _merlin · · Score: 2

      What's behind changing your sig from the previous LGBTt line to the current one that completely dissociates t from LGBT? Just curious.

  2. How will Russia celebrate Thanksgiving? by 12WTF$ · · Score: 2

    Roast Turkey, of course.

    --
    Cryonics - Keep cool and carry on.
  3. How can you tell? by freeze128 · · Score: 3, Insightful

    Zencart? How is a typical shopper supposed to know if the online retailer that they are using is using the Zencart system?

    1. Re:How can you tell? by Anonymous Coward · · Score: 2, Informative

      https://www.zen-cart.com/showcase.php

      Not the most succinct way to go about it but the big ones are on there.

  4. Re:lol by TechyImmigrant · · Score: 2

    I don't know about zen cart, but it's based on osCommerce which is a nasty piece of shit.

    I tried to use it. Learn from my experience. Don't.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  5. Re: Further proof the web model blows by JustAnotherOldGuy · · Score: 2

    I coded the payment system on our store's website in python CGI scripts.

    You can write secure code or insecure code in any language. You haven't shown anything that proves PHP itself is less secure than Python or Perl or ASP or $favorite_language.

    I've written hundreds of thousands of lines of PHP and I put security as my primary concern. None of them have been hacked because I rigorously sanitize data and don't allow users to access things they shouldn't. Yes, it's a bit of a pain to try and cover every conceivable attack vector, but you can write secure code in PHP just as you can in any language. It's not the language, it's the implementation of the code you write.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  6. Re:Zen Cart is a mess by keko · · Score: 2

    ZenCart is as awful as WordPress, but with credit cards.