News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Robert Peake's Blog:
Zen-Cart <= 1.2.6d Security Fix
December 05, 2005 @ 07:03:09

On his blog today, Robert Peake has a post with a fix for a rather large issue with the Zen Cart software - a SQL injection vulnerability.

One thing that really irks me is when people publish security vulnerabilities they discover without publishing the fix. Doing so only benefits the hacker (most specifically, the script kiddie) community, begging the question, "which side are you on?" Whenver I discover a vulnerability or exploit, I make it a point to first and foremost contact the vendor (or group responsible if it is not a commercial product) and then only announce the exploit after a fix is available (if then).

Not enlisting vendor support or at very least describing how a vulnerability can be patched does not help users of that software unless they are savvy enough to figure out the fix on their own. One such example is the announcement of a SQL injection vulnerability in Zen-Cart <= 1.2.6d.

He Goes through the two steps needed to fix the issue, and includes substitution code to correct the injection problem. I definitely agree with his sentiment about reporting and trying to offer a fix for the problem before just sharing it with the world. Sure, there are the people out there that can spot the problem and offer up their own patch, but there seems to (unfortunately) be more out there that would rather abuse it...

0 comments voice your opinion now!
security fix zen cart security fix zen cart


blog comments powered by Disqus

Similar Posts

Dan Scott's Blog: The state of PHP security (LWN article)

Think-PHP Blog: Detect and fix security vulnerabilities on server side within seconds

PlentyofCode.com: J2EE vs ASP.NET vs PHP

Zend: Webinar - PHP Security Basics (Nov 28th @ 9am PST)

Community News: PHP 5.1.3RC3 Released


Community Events

Don't see your event here?
Let us know!


list community api voicesoftheelephpant laravel5 library framework laravel language podcast series introduction opinion release version extension interview example php7 security

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework