Security Patches for v1.3.0x

[Dr.F@ust]

As a result of a security vulnerability reported today, we are releasing the following patch instructions for anyone using Zen Cart v1.3.0, v1.3.0.1, v1.3.0.2:

It is strongly advised that you apply these fixes immediately!

Make the following code edits to secure your site:
---------------------------------------------
includes/application_top.php
line 83:

Code:

include($base_dir . $loader_file);

add this new line immediately above it:

Code:

$autoLoadConfig = array();

------------------------------------

includes/classes/shopping_cart.php
line 354:

Code:

set customers_basket_quantity = '" . $quantity . "'

should be replaced with:

Code:

set customers_basket_quantity = '" . (float)$quantity . "'

--------------------------------------

includes/modules/order_total/ot_coupon.php
lines 104-108:

Code:

$coupon_result=$db->Execute("select coupon_id, coupon_amount, coupon_type, coupon_minimum_order,
                                     uses_per_coupon, uses_per_user, restrict_to_products,
                                     restrict_to_categories from " . TABLE_COUPONS . "
                                   where coupon_code='". $_POST['dc_redeem_code']."'
                                   and coupon_active='Y'");

should be replaced with:

Code:

$sql = "select coupon_id, coupon_amount, coupon_type, coupon_minimum_order, uses_per_coupon, uses_per_user,
              restrict_to_products, restrict_to_categories
              from " . TABLE_COUPONS . "
              where coupon_code= :couponCodeEntered
              and coupon_active='Y'";
      $sql = $db->bindVars($sql, ':couponCodeEntered', $_POST['dc_redeem_code'], 'string');

      $coupon_result=$db->Execute($sql);

-------------------------------

includes/modules/payment/paypal/paypal_functions.php
line 35:

Code:

$sql = "select * from " . TABLE_PAYPAL_SESSION . " where session_id = '" . $session_stuff[1] . "'";

should be replaced with these lines:

Code:

$sql = "SELECT *
            FROM " . TABLE_PAYPAL_SESSION . "
            WHERE session_id = :sessionID";
    $sql = $db->bindVars($sql, ':sessionID', $session_stuff[1], 'string');

-------------------------------------

includes/functions/whos_online.php (only applies to v1.3.0.2 ... if you don't have this line, then you don't have a full v1.3.0.2 install)
line 101:

Code:

    set session_id = '" . $new_session . "' WHERE session_id = '" . $old_session . "'";

should be replaced with these lines:

Code:

   SET session_id = :newSessionID
          WHERE session_id = :oldSessionID";
  $sql = $db->bindVars($sql, ':newSessionID', $new_session, 'string');
  $sql = $db->bindVars($sql, ':oldSessionID', $old_session, 'string');

-------------------------------
A new bugfix release will be published shortly and will contain these fixes.

It is strongly advised that you apply these fixes immediately!

[Dr.F@ust]

For people concerned about v1.2.x, you can tighten security here:

------------------------------
includes/classes/shopping_cart.php
approximately line 256, depending on your version:

Code:

set customers_basket_quantity = '" . $quantity . "'

should be replaced with:

Code:

   set customers_basket_quantity = '" . (float)$quantity . "'