Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

TWSL2016-006: Multiple XSS Vulnerabilities reported for Zen Cart

Today Trustwave released a vulnerability advisory in conjunction with Zen Cart. Researchers from the SpiderLabs Research team at Trustwave recently found multiple Cross-Site Scripting (XSS) vulnerabilities in the popular online open source shopping cart application.

The vulnerabilities affect Zen Cart 1.5.4 and potentially prior versions. Zen Cart released a new version 1.5.5 that has fixes for the security issues reported. It is recommended to upgrade to this version, however Zen Cart has also released local patch in case upgrade is not possible right away. More details are provided below.

Vulnerability Information

Several Cross Site Scripting vulnerabilities were discovered in the admin section of Zen Cart and one issue in the non-authenticated portion of the application. Our researchers found both reflective and stored XSS in multiple parameters of number of requests. Malicious Cross-Site Scripting injections could result in access to cookies, sensitive information and site defacement, which can result into further attacks.

Vulnerability Discovery

While testing Trustwave App Scanner's newest improvements to Cross-Site Scripting SmartAttack, we started running the App Scanner on various popular open source tools. In this process we scanned Zen Cart, with it being simple to configure and a popular shopping cart application with considerable market share.

The credentials for the application and the URL were provided to Trustwave App Scanner, which then crawled through the multiple pages of the application. Once an optimized set of pages were crawled, the smart attacks were added and an assessment run which returned multiple vulnerabilities.

There were many advantages in running an automated solution in this scenario. The tool was able to scan hundreds of pages and parameters without any manual intervention. The improved Cross Site Scripting detection using dynamic analysis resulted in finding vulnerabilities quickly and accurately (Finding XSS Vulnerabilities More Quickly with Dynamic Contextual Analysis). Once an initial scan was setup and stored as a template, the same template could be reused as the patches were provided by the Zen Cart Team. No additional setup was necessary for running the subsequent scans.

Vulnerabilities Fixes

Trustwave responsibly disclosed these security issues to Zen Cart, and worked with Zen Cart team while the issues were being fixed. Zen Cart initially provided point patches that fixed all but one Cross-Site Scripting issue reported by Trustwave. Due to widespread nature of the numerous vulnerabilities we reported,we recommended that Zen Cart add global sanitization of input parameters. This input validation was eventually added and provided a more thorough solution. Further details about this can be obtained at http://docs.zen-cart.com/Developer_Documentation/v1.5.5/code_docs/admin_sanitization.

A single Cross-Site Scripting issue is still present in the application, but due to CSRF protection for the request, exploiting the issue would require Admin privileges for the application.

During the fixing phase, Trustwave verified multiple versions of intermediate patches provided by the Zen Cart team and advised them with some additional issues we found during this testing. Zen Cart team was responsive during this process and a joy to work with as a partner in responsible disclosure.

References

Affected users can patch these vulnerabilities by downloading the latest version of Zen Cart 1.5.5 from https://www.zencart.com/latest and the patch is also available at https://www.zen-cart.com/showthread.php?219732-Trustwave-Security-report-Patch-Included

Trustwave Web Application Firewall and ModSecurity can defend against these attacks through generic XSS rules.

The vulnerabilities were discovered by Trustwave SpiderLabs Research members Sriram Akurati and Michael Yuen.

For more details regarding this advisory please visit:

The Trustwave SpiderLabs Advisory (TWSL2016-006)
TWSL2016-006

Zen Cart Release Announcement
https://www.zen-cart.com/showthread.php?219732-Trustwave-Security-report-Patch-Included

Latest SpiderLabs Blogs

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01

The Trustwave SpiderLabs Threat Intelligence team's ongoing study into how threat actors use Facebook for malicious activity has uncovered a new version of the SYS01 stealer. This stealer is designed...

Read More

Tips for Optimizing Your Security Operations Framework

Building an effective Security Operations framework that provides the right balance of people, processes, and technologies can take years.

Read More