Zen Cart admins: Don't skip version 1.5.5
Hiding behind all those points is a patch for an admin-interface XSS mess
If you missed the March 17-issued patch for shopping cart application Zen Cart, get busy, because among other things it fixed serious cross-site scripting (XSS) vulnerabilities.
Trustwave, which turned up the bug last September, made it public last Friday. Zen Cart reckons the vulnerability was closed before it was exploited.
The bugs involved places in the admin interface that allow the input of html and script tags, Zen Cart explains.
For example, the interface allowed “Product descriptions/Product Names/Email Sending as well as some configuration values” to be manipulated; however, as Zen Cart's post states, it seemed to be exploitable only by someone already logged in as an administrator.
It did, however, flag a need to look over the code, so Zen Cart says it's worked with Trustwave to “implement a more global process of sanitizing GET/POST parameters in admin”.
As Zen Cart explains in this developer post, its fix involves a sanitisation class in version 1.5.5 that takes “a much more aggressive stance than previous code”.
Zen Cart notes that the new code could impact plugins that “add or change admin functionality”, because any GET/POST parameters that aren't already sanitised will get the new default sanitisation applied to them.
The issues exist in Zen Cart 1.5.4 and possibly earlier versions, and if users can't upgrade to version 1.5.5, there's also a patch for 1.5.4. ®