Critical Zen Cart Vulnerability Could Spell Black Friday Disaster For Shoppers

Mark Wilson writes: It's around this time of year, with Black Friday looming and Christmas just around the corner, that online sales boom. Today security firm High-Tech Bridge has issued a warning to retailers and shoppers about a critical vulnerability in the popular Zen Cart shopping management system. High-Tech Bridge has provided Zen Cart with full details of the security flaw which could allow remote attackers to infiltrate web servers and gain access to customer data. Servers running Zen Cart are also at risk of malware, meaning that hundreds of thousands of ecommerce sites pose a potential danger. Technical details of the vulnerability are not yet being made public, but having notified Zen Cart of the issue High-Tech Bridge says the date of full public disclosure is 16 December.

Re:

[ooshna]

And yet you continue to use the web...

Re:

[TechyImmigrant]

OK, I'll bite. What do you consider to be better than php?

I coded the payment system on our store's website in python CGI scripts. Keep it simple first. It helps that I'm a crypto security type engineer for a big techy company in my day job, so it's not a challenge to bake in defense in depth. It sucks when PCI-DSS scans ding you for insecure versions after their probe finds my honeypot.

Re:

[John Da' Baddest]

Too many assumptions here. Presumably the honeypot is full of false data delivering nonsense alerts to nowhere, and the owner is aware when it's compromised. That's what it's for. Of course, if you assume that hackers take over your entire data center at all 7 OSI layers, it really doesn't matter what defenses you have in place.

Re:

[TechyImmigrant]

The honeypot is a simple way to identify an attack source. It's only one thing. As for any defense-in-depth structure, the failure of one thing doesn't compromise the whole. Preferably the failure of several things doesn't compromise the whole.

If you think there is anything to do with security in the PCI-DSS specs, you are sadly mistaken. They are a pile of poo.

Re:

[JustAnotherOldGuy]

I coded the payment system on our store's website in python CGI scripts.

You can write secure code or insecure code in any language. You haven't shown anything that proves PHP itself is less secure than Python or Perl or ASP or $favorite_language.

I've written hundreds of thousands of lines of PHP and I put security as my primary concern. None of them have been hacked because I rigorously sanitize data and don't allow users to access things they shouldn't. Yes, it's a bit of a pain to try and cover every conceivable attack vector, but you can write secure code in PHP just as you

Re:

[TechyImmigrant]

I coded the payment system on our store's website in python CGI scripts.

You can write secure code or insecure code in any language. You haven't shown anything that proves PHP itself is less secure than Python or Perl or ASP or $favorite_language.

I've written hundreds of thousands of lines of PHP and I put security as my primary concern. None of them have been hacked because I rigorously sanitize data and don't allow users to access things they shouldn't. Yes, it's a bit of a pain to try and cover every conceivable attack vector, but you can write secure code in PHP just as you can in any language. It's not the language, it's the implementation of the code you write.

I was answering the question as asked, not filling in the details to satisfy your curiosity.
The relevant bit is attack surface and the reduction thereof, by doing things outside the memory space of the web server and passing all data through a well controlled pipe. You might be able to write secure code in PHP. But the language is largely irrelevant to the method of attack surface reduction I was employing that I was referring to, whereas CGI is. Old school, simple, separated.

Re:

[JustAnotherOldGuy]

But the language is largely irrelevant to the method of attack surface reduction I was employing that I was referring to

And that was my point entirely.

Re:

[TechyImmigrant]

But the language is largely irrelevant to the method of attack surface reduction I was employing that I was referring to

And that was my point entirely.

But not a contradiction of mine, which is how you cast it.

Re:

[Anonymous Coward]

High-Tech assholes want to make a name for themselves. I bet they've been sitting on this just waiting for this time of year.

My first thought too.

see something

[turkeydance]

say something. don't ask, don't tell. bacon is bad. now what was that again?

More like ....

[drpimp]

Hack Friday ... amirite?

Re:

[TechyImmigrant]

I don't know about zen cart, but it's based on osCommerce which is a nasty piece of shit.

I tried to use it. Learn from my experience. Don't.

The latest version as well?

[LewekLeonek]

According to the original source (https://www.htbridge.com/advisory/HTB23282) the security issue affects versions 1.5.3 "and probably prior" (you gotta love the wording). When I looked at the Zen Cart site today v1.5.4 has been out for almost a year. Now someone else please take it from here...

Re:

[TechyImmigrant]

heh, and how many websites get updated? If it ain't hacked yet... well, don't look... we don't want to upgrade.

It is the norm for these frameworks that the installation involves fifteen pages of "put that there, set that permission, put this in the apache config, install this pre-req". Tomato Cart and Zen Cart, I'm looking at you.

By the time you finally get it running, it seems like you have a massively fragile configuration consisting of many small changes. The idea of dropping an upgraded codebase on that is akin to saying "Your website will go down for a week while you get it running again, because that's how lon

Re:

[Anonymous Coward]

It's not just that, the upgrade procedure is basically: Do a clean install then manually re-apply any customizations.

It really is a massive amount of work to upgrade it.

Re:

[ElBeano]

Not every upgrade, but far too many are just like this ^.

Re: The latest version as well?

[BarbaraHudson]

Most of the people running zencart are probably going to have to wait until their hosting provider supplies a one-click upgrade, same as Android users had to wait for their phone company to push out the upgrade that took care of stagefright, heartblead, etc.

Re:

[_merlin]

What's behind changing your sig from the previous LGBTt line to the current one that completely dissociates t from LGBT? Just curious.

Re:

[BarbaraHudson]

I have no problem with gays, lesbians, bisexuals, drag queens, whatever - except that their attitude towards us is like a useless appendage - handy to drag out when it gains "the community" something, but otherwise ignored, or worse, blurring the line between cross-dressers, etc., and transsexuals, helping perpetuate the myth that transsexuals are really gay men in dresses.

Toxic? You betcha! "Chuck you Farley Brown! I don't need you to tell me what I am or how to live my life" is probably a pretty muted re

Re:

[BarbaraHudson]

Gays, Lesbians, and Bisexuals are about sexual practices. Transgendered is a bastardized term that includes cross-dressers and drag queens, which is a sexual fetish (not that I'm criticizing this, to each their own, etc). Unfortunately, even in the LGBT, many people think that transsexuals are really just gay cross-dressers. This attitude comes from the top down, as many of the influential LGBT organizations are directed exclusively by gay white men.

They don't get that transsexuals are different - live bra

Re:

[_merlin]

Thanks for taking the time to answer in detail about your thoughts on the issue.

Re:

[BarbaraHudson]

You're welcome. The full answer is much more complex, involves going into a lot of details, etc ... I'll probably do a journal entry on it at some point. :-)

How will Russia celebrate Thanksgiving?

[12WTF$]

Roast Turkey, of course.

How can you tell?

[freeze128]

Zencart? How is a typical shopper supposed to know if the online retailer that they are using is using the Zencart system?

Re:

[Anonymous Coward]

https://www.zen-cart.com/showcase.php

Not the most succinct way to go about it but the big ones are on there.

Re:

[kervin]

Well, for example you can use builtwith.com [builtwith.com]. E.g. http://builtwith.com/adafruit.com [builtwith.com]

Re:

[drgould]

In the default configuration the phrase "Powered by Zencart" appears at the bottom of each page.

Also, the default Zencart themes and icons are unmistakable if you know what they look like.

Re:

[Gravis Zero]

It's actually pretty obvious if they are using Zen Cart. Instead of a "checkout" button it has a "continue the cycle" button. ;)

Zen Cart is a mess

[JustAnotherOldGuy]

The Zen Cart code is a mess, and I'm not surprised that it has vulnerabilities.

XCart seems much better, but it's a monster codebase. It probably has some vulnerabilities too.

Re:

[keko]

ZenCart is as awful as WordPress, but with credit cards.

Re:

[JustAnotherOldGuy]

ZenCart is as awful as WordPress, but with credit cards.

Not to worry, WordPress has plenty of plugins that will allow you to insecurely use your credit card in ways that would make a hacker dance with joy.

Re:

[Ice Station Zebra]

Of course it is, it was based off of oscommerce another steaming pile of phpshit.

Citation, Please?

[brentlaminack]

Could somebody post the original article that this post summarizes? e.g. Where can we get further information?

Not shopping

[tompaulco]

Because of this, or in spite of this, or regardless of this (choose one), I will not be doing any black Friday shopping. I choose not to commemorate the anniversary of the collapse of gold prices in the stock market.