URGENT Zen Cart security leak!
3 security vulnerabilities in Zen Cart V1.5.4. These are likely to exist in previous versions as well. The vulnerabilities were reported by Tim Coen of curesec.com
1: Information Leak
The popup page for additional images e.g. index.php?main_page=popup_image_additional accepts a GET parameter for products_image_large_additional.
Using a crafted URL an attacker can determine (via the html returned) whether a specific file exists on the server.
e.g. (In this example note specifically that the responses are different, which “discloses information” that one of those files might exist whereas the other does not.)
2: Arbitrary File Upload (Admin only)
Many areas of the Admin interface allow for uploading files; generally image files but other media files (mp3 etc) might also be uploaded. The admin upload class does not universally carry out strict testing of the type of uploaded file, hence a .php or other ‘dangerous’ file might be uploaded by a logged-in administrator.
It should also be noted that this requires the malicious person to have a valid Admin login. Further, Zen Cart already requires that pages that allow uploading are protected by an XSRF token. As such we have classified this as low/non-critical.
Currently we do not plan to address this in legacy versions. We have plans to do tighter evaluation on uploads in v1.6.0
3: Code Execution (Admin-only)
In the interest of creating maximum flexibility for store owners, Zen Cart allows a valid logged-in Admin user to edit and include php files into other pages via the define page editor (define_pages_editor.php?define_it=4&action=new_page)
The define pages system is meant to allow for custom text/html and images to be included in certain storefront pages.
We also attempt to stop these pages being executed directly using .htaccess files. However a given server’s configuration may be set such that the .htaccess file may not be used, and hence a malicious person could add php commands to the define pages that allow for nefarious code execution within a storefront page.
As with the upload vulnerability above, the malicious person must have a valid admin login.
Further we do not intend to address this in legacy Zen Cart versions.
As a matter of course Zen Cart users should ensure the security of their Admin logins, especially the Super User login. Where there is a need to provide others with an Admin Login, those users should (where possible) be restricted to just those areas of admin that are necessary.
Zen Cart also provides detailed logs of Admin access and actions. These should be reviewed regularly and where necessary as part of your daily Admin workflow.
Have us apply the Zen Cart provided patch to your Zen Cart all versions.
Remember this security update is necessary for ALL Zen Cart versions, including the current release 1.5.4.