Recently, a security threat was discovered in Zen Cart. Specifically, the forgotten password routine could be used to discover a limited amount of data on several pages within the admin. The information disclosed was not much – but any is too much. So they created a fix, and like any good development team they distributed it to their users. But they did not stop there. Like any good neighbor, they started letting other developers know where the issue might affect their distributions. Sure enough the issue is also present in other osCommerce variants and descended carts. This includes CRE Loaded, osC Max and osCommerce with the Admin Access with Levels contribution installed. The most recent osCommerce releases do not use Admin Access with Levels, but an alternative of their own. Thus, they may not be prone to this issue.
Thanks to the Zen Cart teams sharing of this issue with other development groups, patches were generated and supplied to users of osC Max within 48 hours of notification. EOS Online Merchant received a similarly rapid repair, and a CRE Loaded patch which includes data to address this issue is expected to be released today. This type of cooperation may not be essential to keeping eCommerce software safe from penetration, but it certainly helps. I look forward to seeing further collaboration towards more secure software for online shopping in the future.