<!--
/**
* @package documentation
* @copyright Copyright 2003-2009 Zen Cart Development Team
* @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
* @version $Id: readme.html 13650 2009-06-23 20:25:41Z wilt $
*/
//-->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css">
<!--
body, table{ font-family:Verdana, Arial, Helvetica, sans-serif; font-size:14px; }
table.intro {border-color:C96E29; }
td.intro{background-color:#EEEEEE ; border-color:5778ce; font-size:11px; }
td.plainbox, div.callout {border: 1px dashed; border-color: C96E29; margin:5 40 5 40; background-color: #d7e0f2; }
.heading {background-color:5778CE; font-weight:bold; font-size:14px; width: 100%; }
.title1 {color:C96E29; font-weight:bold; font-size:22px; }
.title2 {color:C96E29; font-weight:bold; font-size:13px; }
.small {font-size:10px ;}
.error {color:FF0000; }
.filename {font-family: mono, "Courier New", Courier ; font-size:14px; color: c96e29;}
.pseudolink {text-decoration:underline; color:5778CE;}
h1.intro { color: #ffffff; border:1px solid #aca893; background-color: #c96e29; font-size: 22px; padding: 4px;}
h1 { color: #ffffff; border:1px solid #aca893; background-color: #5778ce; font-size: 20px; padding: 4px;}
h2 { color: #c96e29; font-size: 18px;}
h3 { color: #5778ce; font-size: 16px; margin-bottom:0px;}
h4 { color: #c96e29; font-size: 14px;}
.style1 {font-size: 10}
-->
</style>
<title>Security Patch for Zen Cart™ 1.3.8</title>
</head>
<body>
<table class="intro" cellspacing="4" cellpadding="6" border="3" width="748px" align="center">
<tr><td class="intro">
<center>
<h1 class="intro">Security Patch for Zen Cart™ 1.3.8</h1>
</center>
<span class="style1">The Zen Cart™ software is made available to you for use, additions, changes, modifications, etc. without charge, under the GNU General Public License. <br />
<br />
While we do not charge for this software, donations are greatly appreciated each time you download a new version, to help cover the expenses of maintenance, upgrades, updates, the free support forum and the continued development of this software for your online e-commerce store.
<br />
<br />
Donations can be made at:
<a href="http://www.zen-cart.com/index.php?main_page=infopages&pages_id=14" target="_blank">The Zen Cart™ Team Page</a>
<br />
<br />
We appreciate your support.<br />
<em>The Zen Cart™ Team</em></span><br />
<br />
<center>
<span class="small">
Zen Cart™ is derived from: Copyright 2003 osCommerce<br />
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;<br />
without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE<br />
and is redistributable under the GNU General Public License<br /><br />
</span>
</center>
</td></tr></table>
<br />
<table border="3" width="748px" align="center" cellpadding="6">
<tr>
<td align="center"><img src="osi-certified-120x100.png" /><br />
This software is OSI Certified Open Source Software.<br />
OSI Certified is a certification mark of the Open Source Initiative.
</td></tr></table>
<br />
<table border="3" width="748px" align="center" cellpadding="6">
<tr>
<td>
<h1 align="center">Introduction</h1>
<p>In our <a href="important_site_security_recommendations.html">Security Recommendations</a> for all Zen Cart™ users, we stress the need to rename your "/admin" folder. We also have prominent warnings in the administration section of the Zen Cart™ store, to remind users when they have not changed the folder name.</p>
<p>Recently we have been informed of some vulnerabilities in the store code which could potentially allow an attacker to gain access to the Administration section. To take advantage of theses vulnerabilities, the attacker needs to know the location of the Zen Cart™ Administration section.<p>
<p>While renaming the "/admin" provides protection against this vulnerability, we decided that this "<a href="http://en.wikipedia.org/wiki/Security_through_obscurity">Security through obscurity</a>" was not sufficient, and therefore released this patch to address the vulnerability at the software level.</p>
<p>It should be noted that we are not the only Ecommerce system that relied on "Security through Obscurity" to protect the Aministration Section, as evidenced by this <a href="http://www.magentocommerce.com/blog/comments/csrf-vulnerabilities-in-web-application-and-how-to-avoid-them-in-magento/">link</a>
<h1 align="center">Installing this security patch on your Zen Cart™ 1.3.x store </h1>
<p>The following is a list of the steps you need to take to install this security patch on your Zen Cart™ site: </p>
<h1>1. Files in the Security Patch </h1>
<ol style="white-space:nowrap">
<li><YOUR ADMIN DIRECTORY>/includes/functions/extra_functions/security_patch_v138_20090619.php - NEW FILE</li>
<li><YOUR ADMIN DIRECTORY>/includes/extra_configures/security_patch_v138_20090619.php - NEW FILE</li>
<li><YOUR ADMIN DIRECTORY>/includes/autoloaders/config.security_patch_v138_20090619.php - NEW FILE</li>
<li><YOUR ADMIN DIRECTORY>/includes/init_includes/init_security_patch_v138_20090619.php - NEW FILE</li>
<li><YOUR ADMIN DIRECTORY>/includes/functions/html_output.php - ALTERED FILE</li>
</ol>
<p>The files in the list above that are marked NEW FILE, can be simply uploaded to the corresponding directories in your stores admin directory. Hopefully after all the subtle hinting you will have renamed your "/admin" directory !</p>
<p>The html_output.php file will already exist in your Zen Cart™ installation, and how you deal with that file will depend on whether you have altered that file or not. If you are sure it has not been altered you can simply overwrite the original file with the version that came with this patch. Otherwise you will need to change your version by hand. Fortunately the change is minor and is described below.</p>
<p>Note you do not have to upload any other files, e.g the .html files that came with this security patch.</p>
<p>A word of WARNING. The html_ouptut.php file also exists in <STORE>/includes/functions/ directory. You must not change this version, only the one that exists in your admin directory.
<h1>2. Amending html_output.php by hand</h1>
<p>To amend the <YOUR ADMIN DIRECTORY>/includes/functions/html_output.php by hand is fairly straightforward.</p>
<h4>However before attempting to edit this file, please make sure you have a secure backup of the original version.</h4>
<p>Open the file in an editor and find the function "zen_draw_form"</p>
<p>The last line of this function is </p>
<pre>return $form;</pre>
<p>Just before that line add another line as below</p>
<pre>$form .= '<input type="hidden" name="securityToken" value="' . $_SESSION['securityToken'] . '" />';</pre>
<p>You can then save the file.</p>
<h1>3. Test changes</h1>
<p>With all the changes in place, you should now test that you can still access your Administration panel, and that nothing in the Administration panel appears to have been adversely affected by the changes.</p>
<p>If you do have any problems, then you should revert to the original version of html_ouput.php (You did make a backup, didn't you) and remove the other 4 files that are part of this security patch.</p>
<p>Please use the <a href="http://www.zen-cart.com/forums/">Zen Cart™ Forums</a> for advice and/or to notify us of any problems with the patch.</p>
<h1>Previous Zen Cart Versions</h1>
<p>This patch was specifically written and tested using the most up to date Zen Cart release (v1.3.8), however it will also work with all other 1.3.x releases. We cannot however confirm that it will fully work with previous versions.<p>
<p>Any one using v1.2.x is advised to upgrade their store as soon as possible.<p>
<p>However, the following file contained in this patch:.</p>
<pre><YOUR ADMIN DIRECTORY>/includes/function/extra_functions/security_patch_v138_20090619.php</pre>
<p>is compatible with 1.2.x releases, and people using those versions are advised to at least upload this file.</p>
<p>You should also ensure that you have any other patches for your system installed. Details of previous patches can be found in the <a href="http://www.zen-cart.com/forum/forumdisplay.php?f=2">Release Annoucements</a> section of the <a href="http://www.zen-cart.com/forum/">Zen Cart Forums</a>.</p>
</td>
</tr>
</table>
<div align="center"><br />
<em>Copyright 2009 Zen Cart™</em> <br />
<br />
<br />
</div>
</body>
</html>