Notify Patch for Zen Cart

This is a hot one. If you haven’t yet installed the Notify Patch for Zen Cart, please do so immediately. All my clients got this patch within 24 hours of the release. If you’d like this kind of service for your Zen Cart, please go on Zen Cart Support with me.

If you’re not sure what a patch is or why patches are important, you can read my article on Zen Cart patches.

Happy patching!

Photo by Josh Carter on Unsplash

vi brace matching

For 40 years, brace matching in vi has been part of my workflow, and for the most part, it works great! One of the first things I look for in a new editor is this feature. But sometimes, it breaks down. Consider a PHP line like:

if (stripos($str, '{+') !== false) {

As soon as you do something like that, your brace matching in vim falls apart.

But there’s a fix! The incredible matchit mod for vim by Benji Fisher. Handles THOUSAND LINE if blocks (this is legacy code, my friends) like a knife through butter. Thank you Benji!

Using Authorize with Zen Cart?

They changed over this week to the new API announced in January, so if you haven’t done your updates, credit card processing using Authorize.Net (SIM or AIM) will fail.

Fortunately, the fix is easy:

  • AIM users: You need to blank out the MD5 Hash field in Admin->Modules->Payment-> (AIM). This is sufficient for now, but you’ll also want to plan to get the new copy of authorize_aim.php from Zen Cart 1.5.6b.
  • SIM users: You’ll need to get the new copy of authorize.php from Zen Cart 1.5.6b, and then create a Signature Key within Authorize. Enter the key in Admin->Modules->Payment-> (SIM).

For reference, here is the error message you’ll see for an AIM failure:

And here’s the message for a SIM failure:

Update PHP – or be shamed!

Now that PHP 5.6 is no longer being actively supported, it’s time to move to PHP 7. And if you don’t, then WordPress will shame you by displaying a warning!

Fortunately, WordPress is very easy to update, and there’s really no reason not to be running PHP 7 if this is your main web application. Other applications are more work to upgrade. If you need to upgrade a Zen Cart, for example, please contact me and I’ll help. You can run Zen Cart 1.5.5 under PHP 7.1 with a small number of modifications for most carts.

Payment Page Credential Stealing in Zen Cart

I have seen several successful attacks in the last month on Zen Cart which have used the Minimum Values fields. (osCommerce has a similar vulnerability.) The attack works as follows:

  • Inject a script into one of the CC min length fields (in this case, CC_NUMBER_MIN_LENGTH).
  • This script will fire when the payment page is loaded if onsite card number capture is being used.
  • The script does an AJAX POST to a remote server.

Here’s a screenshot of the Admin->Configuration->Minimum Values field:

Zen Cart credit card minimum values hack

A proposed defense against this attack is to cast integer values from the configuration table as integers, thereby ensuring the script does not get echo’ed on the page. You can see my implementation in Zen Cart 1.5.7 Pull Request #2471.

*** Update: This PR was accepted into the Zen Cart core on 06/25/2019. It will be part of Zen Cart 1.5.7 (and may be backported to Zen Cart 1.5.6c, if there is an additional patch to that stream).

Zen Cart Mod Recommendation – zenNonCAPTCHA

I heartily recommend the mod zenNonCAPTCHA. Instead of the clunky usual CAPTCHA technique of forcing a user to type a string or identify images (which is often quite difficult for older users), zenNonCAPTCHA is done with a slider test. Moving the slider until the value “Human” is shown is how you pass the CAPTCHA test. Here’s a screenshot of how the slider looks when it is first presented:

Zen Cart zenNonCAPTCHA slider start

And here’s how the slider looks when you have successfully moved it to Human:

Zen Cart zenNonCAPTCHA slider start

June 2019 Updates to Zen Cart Mods

I have updated a few modules recently:

Blogs I’m following

Like many people, I got out of the blog habit when Google killed Google Reader, but I recently started using Reader (with Feedbin) so that I could enjoy blogs once again. Here’s what I’m reading these days:

What are you reading?

Using Zen Cart Valid Cart to apply checkout rules

One of my customers wanted to use Valid Cart for Zen Cart to apply the rules shown in the matrix below. If one of the products in the first column was in the cart, the customer also had to buy one of the products in columns 3-6, otherwise they would not be permitted to check out.

This is easily done with Valid Cart, which will block checkout unless the rule is passed. So trying to checkout with just product 489, for example (which is an add-on product) would not be permitted; the customer would need to add product 334, 385, 361 or 397 to the cart.