12-03-2005, 11:33 AM
A new security hole was discovered a few hours ago in ZenCart ver 1.26d (the latest release). No patch available at this time. The affected file is admin/password_forgotten.php. If you are using Zen it is highly advisable to temporarily disable the password_forgotten file (change its name to something like password_forgotten.phpmandy ).
In an SQL Injection attack the hacker is able to execute remote code on your MYSQL database and server-i.e. a hacker could run code to get all of your store's customer info and credit card numbers on your server, your passwords, etc. (a malicious hacker could even use the exploit to delete your entire database)
More info on this hole: http://www.addict3d.org/index.php?page=viewarticle&type=security&ID=5449
more info on SQL Injection here:
http://www.securiteam.com/securityreview...1P76E.html
http://www.unixwiz.net/techtips/sql-injection.html
In an SQL Injection attack the hacker is able to execute remote code on your MYSQL database and server-i.e. a hacker could run code to get all of your store's customer info and credit card numbers on your server, your passwords, etc. (a malicious hacker could even use the exploit to delete your entire database)
More info on this hole: http://www.addict3d.org/index.php?page=viewarticle&type=security&ID=5449
more info on SQL Injection here:
http://www.securiteam.com/securityreview...1P76E.html
http://www.unixwiz.net/techtips/sql-injection.html