« previous next »
Pages: [1]
  
Go Down

Author Topic: Security Announcement -- security_patch_v138_20090619.zip  (Read 748 times)

0 Members and 1 Guest are viewing this topic.

NewsBot

  • The osCommerce University News Bot
  • Administrator
  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1024
  • Karma: 0
    • View Profile
Security Announcement -- security_patch_v138_20090619.zip
« Reply #1 on: July 03, 2009, 02:45:59 PM »
Security Announcement  -- security_patch_v138_20090619.zip
21 June 2009, 12:53 pm

Hi,

A vulnerability has been discovered in the admin section of v1.3.8 (and previous versions). To take advantage of this vulnerability any attacker must know the URL of your admin section. As our security recommendations point out, you should change the folder that your admin resides in as soon as you  installed Zen Cart.

However we realise that relying on this 'Security through Obscurity' is not foolproof, hence the release of this patch.

A link to the patch file is posted below. Please download the patch file and unzip it. The zip file contains a readme.html with full details on how to install the security patch files. In the main, the security patch uses Zen Cart's override system to make installation as simple as possible.

The security patch will work for previous versions in the 1.3.x series. Older releases i.e v1.2.x are no longer supported and the patch has not  been fully tested on those versions, however some parts of the patch should still work with v1.2.x (again see the readme.html file). However we strongly advise anyone using the 1.2.x versions to upgrade to 1.3.8 as soon as possible.

Thanks to Ghyslain/BlackH for alerting us to one aspect of this vulnerability.

IMPORTANT NOTE:

As with all Zen Cart zip files, there are Directories/Folders embedded in the zip. So, when you expand/unzip, you MUST tell your unzip program to expand the folders too!  Otherwise you are likely to end up putting the wrong files in the wrong places.

And ... follow the instructions CAREFULLY ... Remember, the documentation tells you exactly where to put the files. Don't make any assumptions.  This is an ADMIN patch ... so ALL the files go under your admin directory in their respective folders ... again, the documentation is clear, so use it.

REMEMBER (In case it's not self-evident) ... WHEN APPLYING *ANY* PATCHES (or addons or customizations for that matter), ALWAYS DO A *FULL* BACKUP of your database data and your PHP/HTML/CSS/TEMPLATE/IMAGES files by downloading them to your computer and zipping and/or burning to a CD/DVD.

Attached Files



security_patch_v138_20090619.zip (24.9 KB)



Source: Zen Cart Support - Zen Cart Release Announcements

Logged
================================
This post was created by the osCommerce University News Bot.  Feel free to reply, attach polls, etc -- but do not hold the osCommerce University responsible for the content of the post itself.  PM the Administrator for SPAM, thanks!
Pages: [1]
  
Go Up
« previous next »