Tech

Online shopping cart Zen Cart patches critical XSS flaws

The shopping cart software's security problems placed hundreds of thousands of users at risk.

Written by Charlie Osborne, Contributing Writer March 29, 2016 at 2:59 a.m. PT

Zen Cart has fixed dozens of XSS security vulnerabilities which left users at risk of website compromise, data theft and tracking.

The popular online shopping cart caters for hundreds of thousands of users worldwide. The open-source software grants websites the ability to process shopping orders without spending a fortune on licenses -- which can be an unwanted expense for SMBs -- but PHP-based Zen Cart is just as vulnerable to security issues as any other shopping cart.

In a blog post on Friday, Trustwave researchers from the SpiderLabs Research team said the company discovered multiple XSS-based vulnerabilities in the application and have been working with Zen Cart since September 2015 to fix a swathe of bugs.

A security advisory detailing the problems includes descriptions of both reflective and stored cross-site scripting (XSS) flaws in the shopping cart, of which many were focused in the administration section.

Admin areas that allow the input of scripts were particularly at risk and according to ThreatPost, at least 50 XSS vulnerabilities were found together with one XSS problem in a non-authenticated area of the software.

The vulnerabilities could grant an attacker the ability to compromise a Web domain, deface a website and gain access to cookies. The security flaws may also be used to load malware for tracking, surveillance, the theft of sensitive data and system infection.

The range of these XSS vulnerabilities is a problem, as patching all of them -- and discovering where others lurked -- would be a lengthy and arduous analysis. In order to prevent a more widespread exploit of these security issues and other XSS problems, Trustwave recommended that Zen Cart implemented the global sanitization of GET/POST input parameters in the open-source software's Admin panel.

After a "long period of discussion" with the security firm, Zen Cart has decided to do so, ensuring future versions of the software will be less vulnerable to these specific issues.

Not all of the vulnerabilities reported by Trustwave have been fixed, however. Trustwave says that one cross-site scripting issue is still present, but exploiting the flaw would be difficult as admin privileges are required and CSRF protection is in place.

Security

The vulnerabilities impact Zen Cart 1.5.4 and potentially older versions of the software.

The public disclosure of the security issues comes after Zen Cart released 1. 5. 5, which fixes all of the vulnerabilities reported and leaves no further avenue for these issues to be exploited.

Users should upgrade to the latest version of Zen Cart as soon as possible.