Zen Cart Flaw Fills Hackers' Stockings

Ho ho ho: Talk about the holiday gift that keeps on giving…for hackers, that is. A critical flaw has been found in Zen Cart, one of the largest online store management systems. The issue could impact a wide swath of its online retailer customer base.

Web application security firm High-Tech Bridge notified the company that the detected vulnerability allows remote attackers to execute arbitrary code on the vulnerable web applications. And, it allows that to be done with privileges of the web server. That means that hackers can compromise entire web application databases (including all customers' data), and place malware on the vulnerable websites.

The impact could be fairly widespread: Zen Cart is being used on hundreds of thousands of live e-commerce websites, so the administrators of affected systems need to apply the patch as soon as possible.

It all goes to show that payment security should be kept top of mind for consumers and administrators alike, especially during the festive season.

"Critical flaws in such popular software are very rare these days,” said Ilia Kolochenko, High-Tech Bridge's CEO and chief architect of the ImmuniWeb platform. “Typically, popular e-commerce web applications are prone to medium-risk cross-site scripting (XSS) or cross-site request forgery (CSRF), or to more dangerous vulnerabilities that however require very specific conditions of exploitation, or chained exploitations together with other vulnerabilities.”

He added, "This case is a good example and confirmation that continuous security testing is critical to keep modern online retailers safe. Quarterly vulnerability scanning and a WAF are definitely good, but not enough anymore.”

Photo © Luis Louro

What’s Hot on Infosecurity Magazine?