Web application security firm High-Tech Bridge notified Zen Cart, one of the largest online store management systems, of a critical flaw that comes at a time when online retailers witness high sales with Black Friday and Christmas shopping.
The detected vulnerability allows remote attackers to execute arbitrary code on the vulnerable web applications with privileges of the web server, compromise entire web application databases (including all customers’ data), and place malware on the vulnerable website. The vendor has been already notified about the issue.
Zen Cart is being used on hundreds of thousands live e-commerce websites. Ilia Kolochenko, High-Tech Bridge’s CEO and Chief Architect of ImmuniWeb have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Ilia Kolochenko, CEO of High-Tech Bridge and Chief Architect of ImmuniWeb :
“Critical flaws in such popular software are very rare these days. Typically, popular e-commerce web applications are prone to medium-risk XSSs or CSRFs, or to more dangerous vulnerabilities that however requires very specific conditions of exploitation, or chained exploitation together with other vulnerabilities.
“This case is a good example and confirmation that continuous security testing is critical to keep modern online retailers safe. Quarterly vulnerability scanning and a WAF are definitely good, but not enough anymore. We hope that the patch will be released shortly, and we strongly recommend to all administrators of affected systems to apply it as soon as possible.”[/su_note]
[su_box title=”About Ilia Kolochenko” style=”noise” box_color=”#336588″][short_info id=’60198′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.