Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security The Almighty Buck

Critical Zen Cart Vulnerability Could Spell Black Friday Disaster For Shoppers (htbridge.com) 59

Mark Wilson writes: It's around this time of year, with Black Friday looming and Christmas just around the corner, that online sales boom. Today security firm High-Tech Bridge has issued a warning to retailers and shoppers about a critical vulnerability in the popular Zen Cart shopping management system. High-Tech Bridge has provided Zen Cart with full details of the security flaw which could allow remote attackers to infiltrate web servers and gain access to customer data. Servers running Zen Cart are also at risk of malware, meaning that hundreds of thousands of ecommerce sites pose a potential danger. Technical details of the vulnerability are not yet being made public, but having notified Zen Cart of the issue High-Tech Bridge says the date of full public disclosure is 16 December.
This discussion has been archived. No new comments can be posted.

Critical Zen Cart Vulnerability Could Spell Black Friday Disaster For Shoppers

Comments Filter:
  • say something. don't ask, don't tell. bacon is bad. now what was that again?
  • Hack Friday ... amirite?
  • According to the original source (https://www.htbridge.com/advisory/HTB23282) the security issue affects versions 1.5.3 "and probably prior" (you gotta love the wording). When I looked at the Zen Cart site today v1.5.4 has been out for almost a year. Now someone else please take it from here...
    • by BarbaraHudson ( 3785311 ) <barbarahudson@gmai l . c om> on Wednesday November 25, 2015 @11:40PM (#51006439) Journal
      Most of the people running zencart are probably going to have to wait until their hosting provider supplies a one-click upgrade, same as Android users had to wait for their phone company to push out the upgrade that took care of stagefright, heartblead, etc.
      • by _merlin ( 160982 )

        What's behind changing your sig from the previous LGBTt line to the current one that completely dissociates t from LGBT? Just curious.

        • Gays, Lesbians, and Bisexuals are about sexual practices. Transgendered is a bastardized term that includes cross-dressers and drag queens, which is a sexual fetish (not that I'm criticizing this, to each their own, etc). Unfortunately, even in the LGBT, many people think that transsexuals are really just gay cross-dressers. This attitude comes from the top down, as many of the influential LGBT organizations are directed exclusively by gay white men.

          They don't get that transsexuals are different - live bra

          • by _merlin ( 160982 )

            Thanks for taking the time to answer in detail about your thoughts on the issue.

            • You're welcome. The full answer is much more complex, involves going into a lot of details, etc ... I'll probably do a journal entry on it at some point. :-)
  • Roast Turkey, of course.

  • How can you tell? (Score:4, Insightful)

    by freeze128 ( 544774 ) on Wednesday November 25, 2015 @11:54PM (#51006469)
    Zencart? How is a typical shopper supposed to know if the online retailer that they are using is using the Zencart system?
    • Re: (Score:2, Informative)

      by Anonymous Coward


      Not the most succinct way to go about it but the big ones are on there.

    • by drgould ( 24404 )

      In the default configuration the phrase "Powered by Zencart" appears at the bottom of each page.

      Also, the default Zencart themes and icons are unmistakable if you know what they look like.

    • It's actually pretty obvious if they are using Zen Cart. Instead of a "checkout" button it has a "continue the cycle" button. ;)

  • The Zen Cart code is a mess, and I'm not surprised that it has vulnerabilities.

    XCart seems much better, but it's a monster codebase. It probably has some vulnerabilities too.

    • by keko ( 1010009 )
      ZenCart is as awful as WordPress, but with credit cards.
      • ZenCart is as awful as WordPress, but with credit cards.

        Not to worry, WordPress has plenty of plugins that will allow you to insecurely use your credit card in ways that would make a hacker dance with joy.

    • Of course it is, it was based off of oscommerce another steaming pile of phpshit.

  • Could somebody post the original article that this post summarizes? e.g. Where can we get further information?

  • Because of this, or in spite of this, or regardless of this (choose one), I will not be doing any black Friday shopping. I choose not to commemorate the anniversary of the collapse of gold prices in the stock market.

This universe shipped by weight, not by volume. Some expansion of the contents may have occurred during shipment.