PCI Scans - patch to handle low-priority warnings on search screen causing scan fail27 June 2009, 7:27 pmThere are some reports of sites failing PCI scans due to an error message that can appear on the search screen if someone attempts to do a SQL injection attack. While the attack fails, an error message appears which, to the purists, discloses the name of the database table and thus gets flagged as a problem. While it's a minor issue and poses no actual direct vulnerability, the PCI scan will fail.
To fix this in Zen Cart v1.3.0 through v1.3.8a, simply do the following:
Create a NEW file, call it: /includes/extra_configures/pci_patch_v13x_search.php
And insert only the following code into that file before saving and uploading to your server:
Code:
if (isset($_GET['keyword']) && $_GET['keyword'] != '')
{
$count = substr_count($_GET['keyword'], '"');
if ($count == 1)
{
if(substr(stripslashes(trim($_GET['keyword'])), 0, 1) == '"')
{
$_GET['keyword'] .= '"';
}
}
$_GET['keyword'] = stripslashes($_GET['keyword']);
}
Zen Cart versions 1.2.x and older are reminded that they need to upgrade. This patch will not work for them.
Source: Zen Cart Support - Zen Cart Release Announcements
Home
Help
Search
Login
Register
Print