Home
Home

Directory
Directory

Articles
Internet News
Security News
Ecommerce News
Domain News

Site Tools
Site Speed Test
Keyword Research
Resolve Hostname
DNS Tools
Register Domains
Affiliate Programs
Open Source

Shopping Carts
Cart Reviews
SSL Certificates

Enter your email address to subscribe to our updates:

Delivered by FeedBurner


Venue Charts
Channel Traffic Rankings
OAI Stock Quotes and Charts
eBay's Worst Feedback

Forum
Forum Home
TulipTools News
Advertising
Blogging
Computer Hardware
Domain Names
Ecommerce
Financing
Int'l Trading
Graphics and HTML
Internet Access
Legal Issues
Internet Business
Auction Sites
Classified Ad Sites
Fixed Price Venues
Operating Systems
Programming
Search Engines
Internet Security
Software
Web Hosting
Webmaster Issues
Reviews
Announcements
Off Topic Discussion

Web Hosting
TulipHosting

Domain Names
TulipDomains

Web Stats
TulipStats

Forum Rules
Forum Rules
Privacy Policy

Site Map
Forum Sitemap
Sitemap Topics




Directory| Forums| Internet News|Cart Reviews| DNS Tools| Keyword Research| Site Speed Test| Security| | Domain Marketplace| Domain Blog
TulipTools Internet Business Owners and Online Sellers Community
  • Home
  • Search
  • Member List
  • Calendar
Hello There, Guest! Login Register
TulipTools Internet Business Owners and Online Sellers Community › Ecommerce › Ecommerce › Shopping Cart Scripts and Software › ZenCart v
« Previous 1 2

Zen Cart <= 1.2.6d (password_forgotten.php) SQL Injection Exploit

  
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Threaded Mode | Linear Mode
Zen Cart <= 1.2.6d (password_forgotten.php) SQL Injection Exploit
12-03-2005, 11:33 AM, (This post was last modified: 12-03-2005, 11:43 AM by mandy.)
Post: #1
mandy Offline
Administrator
*******
Posts: 9,932
Likes Given: 0
Likes Received: 6 in 5 posts
Joined: Feb 2011
Reputation: 0
Zen Cart <= 1.2.6d (password_forgotten.php) SQL Injection Exploit
A new security hole was discovered a few hours ago in ZenCart ver 1.26d (the latest release).  No patch available at this time.  The affected file is admin/password_forgotten.php.  If you are using Zen it is highly advisable to temporarily disable the password_forgotten file (change its name to something like password_forgotten.phpmandy  Smile ).

In an SQL Injection attack the hacker is able to execute remote code on your MYSQL database and server-i.e. a hacker could run code to get all of your store's customer info and credit card numbers on your server, your passwords, etc. (a malicious hacker could even use the exploit to delete your entire database)

More info on this hole: http://www.addict3d.org/index.php?page=viewarticle&type=security&ID=5449

more info on SQL Injection here:
http://www.securiteam.com/securityreview...1P76E.html
http://www.unixwiz.net/techtips/sql-injection.html
Like Post Reply
[+]
12-03-2005, 08:04 PM,
Post: #2
amy Offline
Super Moderator
******
Posts: 3,473
Likes Given: 0
Likes Received: 1 in 1 posts
Joined: Mar 2005
Reputation: 0
Re: Zen Cart <= 1.2.6d (password_forgotten.php) SQL Injection Exploit
NADA on the Zen support forums about the hole but I'm sure every hacker is already on Google looking for sites using Zen.   :blinkie: [url=http://directory.allmusicsearch.com/allmusicmeta/search/"zencart"-and-"sql-injection"/1-1.html]A search shows [/url] version 1.12d also had an SQL Injection problem and needed a patch.

Blog
Like Post Reply
[+]
12-04-2005, 04:28 AM,
Post: #3
bargainbloodhound Offline
Lawnmower Mouth
********
Posts: 4,372
Likes Given: 0
Likes Received: 4 in 4 posts
Joined: Jul 2005
Reputation: 0
Re: Zen Cart <= 1.2.6d (password_forgotten.php) SQL Injection Exploit
Quote:NADA on the Zen support forums about the hole


Nope.

A useful resource to check to see if your scripts have any known security problems:

http://nvd.nist.gov/nvd.cfm
"Well, Jay was so giddy that someone named Jay was involved with this site we posted our first non-eBay listing in 3 years here at Lunarbid (we tried two items at Yahoo once upon a time, they bombed)" -Marie posting in a LunarBid thread at OTWA in 2005 wins the award for 'most moronic reason ever given for choosing a venue"

"thanks twat u must have nothing better 2 do. do u talk to all your members like that. will not be recomending your site.
best way to put it is TULIPTOOLS.COM IS REALLY SHIT. DONT JOIN." -pubescent owner of rinky dink off2auction.com in 2011
Like Post Reply
[+]
12-06-2005, 06:08 AM, (This post was last modified: 12-06-2005, 06:13 AM by regic.)
Post: #4
regic Offline
Administrator
*******
Posts: 2,825
Likes Given: 0
Likes Received: 2 in 2 posts
Joined: Jul 2005
Reputation: 0
Re: Zen Cart <= 1.2.6d (password_forgotten.php) SQL Injection Exploit
A patch to fix the hole is now available:

info: http://www.zen-cart.com/modules/mydownlo...php?cid=31
download: http://www.zen-cart.com/modules/mydownlo...hp?lid=544

All Zen Cart versions 1.1.x and 1.2.x require this patch not just 1.26d
Like Post Reply
[+]
12-06-2005, 02:38 PM,
Post: #5
bargainbloodhound Offline
Lawnmower Mouth
********
Posts: 4,372
Likes Given: 0
Likes Received: 4 in 4 posts
Joined: Jul 2005
Reputation: 0
Re: Zen Cart <= 1.2.6d (password_forgotten.php) SQL Injection Exploit
That was quick.  Smile
"Well, Jay was so giddy that someone named Jay was involved with this site we posted our first non-eBay listing in 3 years here at Lunarbid (we tried two items at Yahoo once upon a time, they bombed)" -Marie posting in a LunarBid thread at OTWA in 2005 wins the award for 'most moronic reason ever given for choosing a venue"

"thanks twat u must have nothing better 2 do. do u talk to all your members like that. will not be recomending your site.
best way to put it is TULIPTOOLS.COM IS REALLY SHIT. DONT JOIN." -pubescent owner of rinky dink off2auction.com in 2011
Like Post Reply
[+]
« Next Oldest | Next Newest »




Possibly Related Threads…
Thread Author Replies Views Last Post
  Dealtagger Zen Cart Mod bargainbloodhound 1 2,431 07-19-2009, 02:55 AM
Last Post: bargainbloodhound
  Amazon Checkout Mod for Zen Cart amy 2 4,967 01-23-2009, 04:28 PM
Last Post: amy
  International Checkout Integration with Zen Cart amy 0 2,408 08-17-2008, 09:54 PM
Last Post: amy
  20 Ways to Increase Sales Using Zen Cart mandy 0 2,312 07-19-2008, 08:54 AM
Last Post: mandy
  Zen Cart releases version 1.38 mandy 0 4,234 12-02-2007, 08:31 AM
Last Post: mandy
  Preview of Zen Cart 1.4/1.5 changes mandy 0 2,278 09-18-2007, 08:07 AM
Last Post: mandy
  New Zen Cart mods add eBay Listing and TurboLister support to Zen mandy 1 4,653 08-15-2007, 02:20 PM
Last Post: bargainbloodhound
  Zen Cart versions 1.40+ to require PHP 5.2+, Zen Changes Support Policy mandy 0 2,164 08-14-2007, 10:21 AM
Last Post: mandy
  Question about moving a Zen Cart... RiverRat 9 5,122 06-05-2007, 07:57 PM
Last Post: RiverRat
  Getting Started with Zen princessmirandajo 19 7,947 05-19-2007, 01:36 AM
Last Post: RiverRat

  • View a Printable Version
  • Send this Thread to a Friend
  • Subscribe to this thread
Forum Jump:


Users browsing this thread: 1 Guest(s)
  • Contact Us
  • TulipTools Internet Business Owners and Online Sellers Community
  • Return to Top
  • Lite (Archive) Mode
  • RSS Syndication
  • Help
Current time: 03-23-2023, 03:21 PM Powered By MyBB, © 2002-2023 MyBB Group. Theme created by Justin S.
powered by Apache

powered by Linuxpowered by CentOS

Copyright 2000-2013 TulipTools.com. All rights reserved.