Critical Zen Cart vulnerability could spell Black Friday disaster for online shoppers
It's around this time of year, with Black Friday looming and Christmas just around the corner, that online sales boom. Today security firm High-Tech Bridge has issued a warning to retailers and shoppers about a critical vulnerability in the popular Zen Cart shopping management system.
High-Tech Bridge has provided Zen Cart with full details of the security flaw which could allow remote attackers to infiltrate web servers and gain access to customer data. Servers running Zen Cart are also at risk of malware, meaning that hundreds of thousands of ecommerce sites pose a potential danger.
Technical details of the vulnerability are not yet being made public, but having notified Zen Cart of the issue High-Tech Bridge says the date of full public disclosure is 16 December. Zen Cart is yet to issue a statement in response to the discovery, but Chief Architect of ImmuniWeb and High-Tech Bridge CEO Ilia Kolochenko said:
Critical flaws in such popular software are very rare these days. Typically, popular e-commerce web applications are prone to medium-risk XSSs or CSRFs, or to more dangerous vulnerabilities that however requires very specific conditions of exploitation, or chained exploitation together with other vulnerabilities.
This case is a good example and confirmation that continuous security testing is critical to keep modern online retailers safe. Quarterly vulnerability scanning and a WAF are definitely good, but not enough anymore. We hope that the patch will be released shortly, and we strongly recommend to all administrators of affected systems to apply it as soon as possible.
Hi-Tech Bridge warns that Zen Cart 1.5.3 and "probably prior" are affected.