The SpiderLabs team at Trustwave published a new advisory yesterday, which details multiple vulnerabilities identified in Zen Cart (version 1.5.0). These findings include two Local File Inclusion (LFI) vulnerabilities and a Cross-Site Scripting (XSS) in the installation scripts. All of these security issues were discovered by Jonathan Claudius who is a member of the Trustwave SpiderLabs Research team.
Zen Cart has confirmed the Cross-Site Scripting (XSS) discovery and the vendor is evaluating the Local File Inclusion (LFI) vulnerabilities. The latest version of Zen Cart (1.5.0) is affected but the vendor has advised users to remove the zc_install folder after installation as a workaround. However, Trustwave SpiderLabs urges caution in situations where the Zen Cart installation script is provided as part of a default image. This is often done as a convenience on hosting providers, even incases where the client does not use the software. It is a best practice to ensure that no installation scripts are exposed to outsiders, and these vulnerabilities reinforce the importance of this step.
Trustwave SpiderLabs has deployed protections for this finding in the ModSecurity Commercial Rules Feed and the TrustKeeper vulnerability scanning solution has been updated to detect this finding.