A Switzerland based Security firm High - Tech Bridge reported critical security issue in Zen Cart , a popular open source shopping cart software used by large number of websites . The issue was exploited on November 25 , and it was patched within 24 hours by Zen Cart .
The vulnerability was related to PHP file inclusion affecting /ajax.php file . Exploiting the vulnerability , a remote attacker could execute arbitrary PHP code and get unlimited access to thr files and database of application . According to High-Tech Bridge CEO Kolochenko ,vulnerabiltiy was very easy to exploitation was possible even on hardened webservers.
Only the recent version of Zen Cart 1.5.4 had security flaw , as previous versions didn't have vulnerable script , so it could be just fixed by replacing /ajax.php file with the patched version .
There were other patches released for medium severity and low level severity vulnerabilities released by Zen Cart. One of the medium severe vulnerability patch had issue in cross site scripting (XSS ) in "order - comments " ,security hole was reported by Trustware and it affected Zen cart 1.5.4 and earlier versions . There was one patch released for low severity issue as well , the issue was storing incorrect password in input field which was causing invalid login attempts .
There were other XSS vulnerabilities exposed by Trustware ,whose patches have not been released yet and which have been classified as low severity As those vulnerabilities could not be exploited without admin logins and they couldn't be harmed by the third party .
The vulnerability was related to PHP file inclusion affecting /ajax.php file . Exploiting the vulnerability , a remote attacker could execute arbitrary PHP code and get unlimited access to thr files and database of application . According to High-Tech Bridge CEO Kolochenko ,vulnerabiltiy was very easy to exploitation was possible even on hardened webservers.
Only the recent version of Zen Cart 1.5.4 had security flaw , as previous versions didn't have vulnerable script , so it could be just fixed by replacing /ajax.php file with the patched version .
There were other patches released for medium severity and low level severity vulnerabilities released by Zen Cart. One of the medium severe vulnerability patch had issue in cross site scripting (XSS ) in "order - comments " ,security hole was reported by Trustware and it affected Zen cart 1.5.4 and earlier versions . There was one patch released for low severity issue as well , the issue was storing incorrect password in input field which was causing invalid login attempts .
There were other XSS vulnerabilities exposed by Trustware ,whose patches have not been released yet and which have been classified as low severity As those vulnerabilities could not be exploited without admin logins and they couldn't be harmed by the third party .