Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

TWSL2016-006: Multiple XSS Vulnerabilities reported for Zen Cart

Today Trustwave released a vulnerability advisory in conjunction with Zen Cart. Researchers from the SpiderLabs Research team at Trustwave recently found multiple Cross-Site Scripting (XSS) vulnerabilities in the popular online open source shopping cart application.

The vulnerabilities affect Zen Cart 1.5.4 and potentially prior versions. Zen Cart released a new version 1.5.5 that has fixes for the security issues reported. It is recommended to upgrade to this version, however Zen Cart has also released local patch in case upgrade is not possible right away. More details are provided below.

Vulnerability Information

Several Cross Site Scripting vulnerabilities were discovered in the admin section of Zen Cart and one issue in the non-authenticated portion of the application. Our researchers found both reflective and stored XSS in multiple parameters of number of requests. Malicious Cross-Site Scripting injections could result in access to cookies, sensitive information and site defacement, which can result into further attacks.

Vulnerability Discovery

While testing Trustwave App Scanner's newest improvements to Cross-Site Scripting SmartAttack, we started running the App Scanner on various popular open source tools. In this process we scanned Zen Cart, with it being simple to configure and a popular shopping cart application with considerable market share.

The credentials for the application and the URL were provided to Trustwave App Scanner, which then crawled through the multiple pages of the application. Once an optimized set of pages were crawled, the smart attacks were added and an assessment run which returned multiple vulnerabilities.

There were many advantages in running an automated solution in this scenario. The tool was able to scan hundreds of pages and parameters without any manual intervention. The improved Cross Site Scripting detection using dynamic analysis resulted in finding vulnerabilities quickly and accurately (Finding XSS Vulnerabilities More Quickly with Dynamic Contextual Analysis). Once an initial scan was setup and stored as a template, the same template could be reused as the patches were provided by the Zen Cart Team. No additional setup was necessary for running the subsequent scans.

Vulnerabilities Fixes

Trustwave responsibly disclosed these security issues to Zen Cart, and worked with Zen Cart team while the issues were being fixed. Zen Cart initially provided point patches that fixed all but one Cross-Site Scripting issue reported by Trustwave. Due to widespread nature of the numerous vulnerabilities we reported,we recommended that Zen Cart add global sanitization of input parameters. This input validation was eventually added and provided a more thorough solution. Further details about this can be obtained at http://docs.zen-cart.com/Developer_Documentation/v1.5.5/code_docs/admin_sanitization.

A single Cross-Site Scripting issue is still present in the application, but due to CSRF protection for the request, exploiting the issue would require Admin privileges for the application.

During the fixing phase, Trustwave verified multiple versions of intermediate patches provided by the Zen Cart team and advised them with some additional issues we found during this testing. Zen Cart team was responsive during this process and a joy to work with as a partner in responsible disclosure.

References

Affected users can patch these vulnerabilities by downloading the latest version of Zen Cart 1.5.5 from https://www.zencart.com/latest and the patch is also available at https://www.zen-cart.com/showthread.php?219732-Trustwave-Security-report-Patch-Included

Trustwave Web Application Firewall and ModSecurity can defend against these attacks through generic XSS rules.

The vulnerabilities were discovered by Trustwave SpiderLabs Research members Sriram Akurati and Michael Yuen.

For more details regarding this advisory please visit:

The Trustwave SpiderLabs Advisory (TWSL2016-006)
TWSL2016-006

Zen Cart Release Announcement
https://www.zen-cart.com/showthread.php?219732-Trustwave-Security-report-Patch-Included

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo