Untitled Document
View RSS Feed

The ShipRush Product Management Blog

Zen Cart Sites: Critical Vulnerability Present In Most Recent Versions

Rate this Entry
Name:  zen-cart-logo.png
Views: 733
Size:  18.5 KB

Apologies for the bad news on a holiday, but if you run Zen Cart, you need to know.


Computer Security Firm High Tech Bridge has reported a serious security flaw in Zen Cart. The public disclosure is on their site: https://www.htbridge.com/advisory/HTB23282

Note the issue title: RCE in Zen Cart ... RCE means "Remote Code Execution." This is one of the most serious kinds of vulnerabilities. While we do not have confirmation yet on this issue (well, the Zen Cart team does kind of confirm it in their discussion), this is potentially very serious.

And make no mistake: The hackers know you are running Zen Cart.

UPDATE 10:00 PM Pacific, Nov 26 ---------------------------------------------------

The Zen Cart team has posted a patch. Indications are that the vulnerability affects v1.5.4 only, however this is not %100 clear at this time.

Back to the rest of this post -------------------------------------------------------------

The work flow High Tech Bridge is using is:

  1. Issue Discovery
  2. Privately Report (to the Zen Cart development team)
  3. Publicly Report (to the world)

Steps 1 and 2 have occurred. The Zen Cart team has posted that they are looking in to the issue, and they expect to have a resolution available soon. High Tech Bridge will announce the details publicly on December 16. However, it is entirely possible that hackers will discover the issue before the 16th.

The ShipRush Team recommends that all Zen Cart site operators take the following steps immediately:

  1. Make full backups, that you take off site, every day until this issue is resolved.
  2. Check your Zen Cart version.
  3. Get your site to Zen Cart v1.5.4 absolutely ASAP (within a week, if at all possible)
  4. Review all ftp cpanel logins. Remove unneeded logins. Change all passwords to 20+ character, machine generated random passwords.
  5. Review all Zen Cart admin console logins. Remove unneeded logins. Change all passwords to 20+ character, machine generated random passwords.
  6. Be sure your admin folder is a randomized name. (See steps here.)

Details & Explanations

1. Make full backups, that you take off site, every day until this issue is resolved.

Based on the disclosure, the vulnerability could allow an arbitrary internet user to upload files to your Zen Cart server. This can result in either overt (obvious) damage to your site, or subtle (difficult or impossible to detect) damage. You need to make full backups of the entire /htdocs/ structure of your site, and your mysql db, and keep those backups "off site." Since your Zen Cart server is already at an ISP data center, "off site," in this case, means you can copy these backups to your local computer.

Do this every day until the issue is resolved and your system patched.

In the event that your system is compromised, you will need to either restore one of these backups, or you will need to use these backups to compare a "known clean" copy of your Zen Cart system against the compromised (or possibly compromised) system.

2. Check Your Zen Cart Version

The Zen Cart team will probably only patch the current version (1.5.4). It is possible, but not likely, that patches will be issued for earlier versions. You must know your version in order to take many of the next steps.

Find it out now so you can plan.

3. Update Site to Zen Cart 1.5.4

If you are not on 1.5.4, for a whole bunch of reasons, you need to be there. Running a web site is serious business (dealing with credit card numbers, dollars and cents, and all that). v1.5.4 has a stack of things you need.

And the Zen Cart team may not release patches for earlier versions.

Get current, so when the patch becomes available, you can take advantage of it.

4. and 5. Review Logins

This is a best practice, and since you are thinking of security, think it all the way through. This is a great time to tighten access to your Zen Cart system. There are multiple paths into your Zen Cart environment:

Operating System: Any and all CPanel, SSH and FTP logins should be reviewed. Disable or delete any logins that are not in active use. Change passwords to super long & strong, machine generated passwords (at least 20 chars, mixed of alphanumeric, mixed case, w punctuation). If you are not yet using a password manager (like Lastpass), it is time to start.

Zen Cart Admin: Change the admin password to a strong one (it is probably overdue for a change anyway), and review all logins to the Zen Cart Admin.

6. Randomized name for the Zen Cart Administrator Folder

Absolutely no joke this. If you haven't done this, or if your Admin folder uses English words (e.g. 'secret-admin-dir' or 'charming-site-admin'), change it now, and, we suggest, change it right.

The location of the admin folder may be a key to certain types of system takeovers. Please take this seriously.

The steps on renaming the Admin directory are on the Zen Cart site. However, the published steps are missing one crucial step: Generating a random name for the Admin directory. For genuine security, the admin directory must be random. Use a password generator to create a random, 22 character alphanumeric password. Use that as the new name of the admin directory.

Please tackle the above right away. Follow the convo on the Zen Cart forums.

And have a great holiday, and holiday season.

All the best from the ShipRush Team.

(We are emailing this info to all ShipRush users who are linked to a Zen Cart store. For the heavy season, ShipRush email and forums are staffed every day during the four day holiday weekend, and the ShipRush call center opens at 7:00 AM on Monday the 30th, Cyber Monday.)

Updated 11-26-2015 at 10:23 PM by Rafael Zimberoff

Tags: None Add / Edit Tags
ShipRush , Ecommerce