Zen Cart v1.3.0.2-l10n-jp-1-2 Security Upgrade PATCH Released Apr 30, 2007
==========================================================================

v1.3.0.2-l10n-jp-1  v1.3.0.2-l10n-jp-2֤Υƥåץ졼
ѥåǤåץ졼ɤϥɡǡ١ơФƹԤ
ɬפޤ

ΥѥåˤäкԤȼϼ̤Ǥ

- Session Fixation ȼ

  ѥåեꥹ
    overwrite/includes/functions/strict_sessions.php
    overwirte/includes/init_includes/overrides/init_sessions.php
    overwrite/admin/includes/init_includes/overrides/init_sessions.php
    session_fixation.patch.sql

   v1.3.0.2-l10n-jp-1˥꡼ƤSession Fixation
     кѤΥѥåƱΥѥåǤ
     http://prdownloads.sourceforge.jp/zencart-jp/24195/zen-cart-v1.3.0.2-l10n-jp-1-session-fixation-patch.zip
     Session FixationкѥåŬѤߤξ³SQL Injection
     File InclusionкΥѥåΤߤŬƤ

- SQL InjectionFile InclusionʤӤˤäưXSSк

  ѥåեꥹ
    overwrite/includes/application_top.php
    overwrite/includes/classes/shopping_cart.php
    overwrite/includes/functions/whos_online.php
    overwrite/includes/modules/order_total/ot_coupon.php
    overwrite/includes/modules/payment/paypal/paypal_functions.php
    overwrite/admin/coupon_admin.php
    overwrite/includes/classes/order.php
    overwrite/includes/functions/functions_customers.php
    overwrite/includes/modules/checkout_process.php
    overwrite/includes/modules/create_account.php
    overwrite/includes/modules/pages/checkout_confirmation/header_php.php
    overwrite/includes/modules/pages/checkout_payment/header_php.php
    overwrite/includes/modules/pages/checkout_payment_address/header_php.php
    overwrite/includes/modules/pages/checkout_shipping/header_php.php
    overwrite/includes/modules/pages/checkout_shipping_address/header_php.php
    overwrite/includes/modules/pages/gv_send/header_php.php


ѥåŬ
==============

ɤΥåץ졼
----------------------------

֤षƤǤoverwriteǥ쥯ȥΥե
ǥ쥯ȥ깽¤ݤäޤ޵ΥåפΥ롼ȥǥ쥯ȥ
˥ԡޤ

)
 $ cp -ra overwrite/* /to/your/shop/root/

WinMergeʤɤѤơȼ˥åפ˻ܤ
ޥ񤭤ˤäƾäƤޤʤåƤ
륱ϡ񤭤ǤϤʤʬ
ŬƤ椯ɬפǤ礦ξWinMergeκʬŬ
ġѤǤ

  WinMerge ܸ
    http://www.geocities.co.jp/SiliconValley-SanJose/8165/winmerge.html

SQL InjectionFile InclusionʤӤˤäư
XSSкˤGNU diffΥѥåѰդƤޤ֤
षƤǤdiff.patch򥳥ޥɥ饤ǲΤ褦˼¹
ޤ

)
  $ cp diff.patch /to/your/shop/root/
  $ cd /to/your/shop/root/
  $ patch -p0 < diff.patch


ǡ١Υåץ졼
----------------------------

֤षƤǤ session_fixation.patch.sql 
̤[ɲꡦġ]->[SQLѥåΥ󥹥ȡ]
¹Ԥޤ

 ǡ١åץ졼ɸ
  ̤[]->[å]->[åȯ]
  TrueǥեȤǻꤵƤ뤿ᡢܥѥåǤä˲⤷Ƥޤ
  󡣤⤷ʤΥåפǥåȯԤFalseꤵƤ
  TrueڤؤƤFalseΤޤޤǤSesson Fixation
  ȼкȤԽʬʾ֤ˤʤޤ



====

ΥѥåŬϼǤǹԤäƤ
ޤΥѥåŬˤʤΥƥХåå
뤳Ȥ˺ʤǤ


                                         Zen-Cart.JP <dev@zen-cart.jp>
