Zen Cart v1.3.9f Multiple Remote Vulnerabilities

Title: Zen Cart v1.3.9f Multiple Remote Vulnerabilities
Advisory ID: ZSL-2010-4966
Type: Local/Remote
Impact: System Access, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data, Cross-Site Scripting
Risk: (3/5)
Release Date: 01.10.2010
Zen Cart is an online store management system. It is PHP-based, using a MySQL database and HTML components. Support is provided for numerous languages and currencies, and it is freely available under the GNU GPL.
Zen Cart v1.3.9f suffers from a persistent cross-site scripting (XSS) and SQL injection vulnerability. The SQLi issue lies in "option_name_manager.php" script in the "option_order_by" parameter thru the admin UI (post-auth). Input is not sanitized resulting in compromising the db system.

The stored/persistent XSS issue lies pretty much everywhere in the admin panel when editing and inserting strings in different categories. Ex:

- In Admin UI go to or Extras > Record Companies and click "insert". Fill out the 1st or 3rd or 4th field or all of them, with the string: "<script>alert("xss")</script>" and click save. Now...every time when you go back to that page it will execute the code for every field.

Zen Ventures, LLC - http://www.zen-cart.com
Affected Version
Tested On
Microsoft Windows XP Professional SP3 (EN)
PHP 5.3.0
MySQL 5.1.36
Apache 2.2.11 (Win32)
Vendor Status
[19.08.2010] Vulnerability discovered.
[22.08.2010] Vendor contacted.
[22.08.2010] Vendor responds asking more details.
[23.08.2010] Sent PoC files to vendor.
[25.08.2010] Vendor confirms vulnerability.
[02.09.2010] Asked vendor for patch release date.
[08.09.2010] Vendor states approximately 7 days to patch release.
[20.09.2010] Asked vendor for status.
[24.09.2010] Asked vendor for status again because of no reply from previous mail.
[28.09.2010] Vendor informed about advisory release date.
[29.09.2010] Vendor releases version 1.3.9g to address these issues.
[01.10.2010] Public advisory released.
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
[1] http://www.zen-cart.com/forum/showthread.php?t=165017
[2] http://www.exploit-db.com/exploits/15165/
[3] http://securityreason.com/wlb_show/WLB-2010100006
[4] http://www.packetstormsecurity.org/filedesc/ZSL-2010-4966.txt.html
[5] http://www.securityfocus.com/bid/43628
[6] http://secunia.com/advisories/41666
[7] http://osvdb.org/show/osvdb/68298
[8] http://osvdb.org/show/osvdb/68299
[9] http://xforce.iss.net/xforce/xfdb/62213
[01.10.2010] - Initial release
[02.10.2010] - Added reference [7], [8] and [9]
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk