Ten Points Random

Zen Cart Fail

by on Aug.21, 2009 @ 06:33 pm, under Technology

On the list of stupid things to do and big security holes, one of the best (or worst) I’ve seen to date is one that was built into our beloved E-commerce solution: Zen Cart.

You don’t have to login to get into the admin.

I’ve tried it personally on versions 1.2.6 and 1.3.7, and to my knowledge, it works almost every other version.

I haven’t tested it myself, but I’ve looked through the files, and it looks like the most current version you can download from their website (1.3.8a) is also just as vulnerable. (edit: I tried it, fortunately it’s not vulnerable.)

Most security holes require a little bit of knowledge of web technologies to exploit, but this one’s so bad, just about anyone can do it.  Here’s how stupid it is:

  1. Find your Zen Cart, say it’s http:/example.com/store
  2. Find your admin.  Usually it’s /admin/
  3. Choose an admin page.  How about sqlpatch.php?
  4. Add /password_forgotten.php (versions 1.3) or /login.php (versions 1.2) to the end of that.
  5. Visit it: http://example.com/store/admin/sqlpatch.php/password_forgotten.php
  6. Bingo!  Full access without ever logging in.

This is bad.  If you have Zen Cart on your site, PATCH IT NOW, before someone kinder than me goes looking for you and uses this to take control of your hosting account.

How it works:

Most web servers stop processing the directory once they hit a (PHP) file.  This allows you to do things like example.com/index.php/some/random/pseudo/rewrite.  That’s fine.

But Zen Cart did it wrong.  When they go to check to see if you should be logged in they do this:  (code rewritten for simplicity)

if(basename($PHP_SELF) != 'index.php' && 
   basename($PHP_SELF) != 'password_forgotten.php') {
  //Send them to the login page and exit

Did you catch that?

They use basename() on PHP_SELF!  PHP_SELF is basically the request URI without the “search” variable on it. So, if I go to “http://example.com/store/admin/sqlpatch.php/password_forgotten.php”, PHP_SELF is “store/admin/sqlpatch.php/password_forgotten.php”

If I send that to basename (which is a string parsing function only), “sqlpatch.php” is considered part of the directory name and we get “password_forgotten.php” for the filename.  Zen Cart checks that and lo! It’s allowed!

What should have been used was $_SERVER[‘SCRIPT_FILENAME’] which will always give you the name of the currently executing “parent” script, not what the user typed in.

Why this is bad:

Zen Cart’s admin is great!  You can run SQL patches (SQL injection), upload files with various names (arbitrary code execution), and edit the template .php files for certain pages (XSS, arbitrary code execution,  etc.) all from the comfort of the admin!

Once someone gets in, it’s easy for a malicious user to to upload a shell script that does his/her mindless bidding, be that viral site attacking, spam bots, porn mirror, etc.

The End of Zen Cart

Of course the Zen Cart developers found out about it.  What was their advisement?  That you should have changed the path to your admin folder, but since some of you don’t think that’s security we also made a patch. (The wording is mostly mine, the font sizes, not so much.)

That’s you attitude towards something so critical as this?

I bid thee farewell Zen Cart.

:, ,
No comments for this entry yet...

Comments are closed.

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...