If a form stopped working when you upgraded to v1.5.0+ …

 v1.5.0, v1.5.1, zen-cart  Comments Off on If a form stopped working when you upgraded to v1.5.0+ …
Mar 122013
 

One of the things that changed in Zen Cart v1.5.0 was an additional security check to make sure that forms submitted via the POST method were coming from the active session.  This is great for the security of your store, but can have unintended consequences.  Essentially, if a form is sent to your site via POST that doesn’t include a securityToken variable whose value matches the session-variable of the same name then that form is rejected and a redirect is performed to either the page_not_found (v1.5.0) or time_out (v1.5.1+) page.

This check can have unwanted result for some of your customizations, especially if those customizations code the HTML <form> tags directly instead of using the zen_draw_form function.  That function was updated in v1.5.0 to include, for forms to be submitted via POST, a hidden field named securityToken that contains the current session’s securityToken value.  If your customizations use that function to draw their form, all is well.  If, on the other hand, the <form> tag is created directly and doesn’t include the securityToken’s hidden field the form will not be accepted and result in the redirect mentioned above.

I’ve seen this behavior reported in the Zen Cart forums, usually associated with either a store-specific customization or a plugin that was developed for the v1.3.x Zen Cart series and carried over when the store was updated to v1.5.0 or later.

Your Admin Folder’s Name: Security via Obfuscation

 zen-cart  Comments Off on Your Admin Folder’s Name: Security via Obfuscation
Dec 152012
 

In wikipedia, the definition for obfuscation is “the hiding of intended meaning in communication, making communication confusing, willfully ambiguous, and harder to interpret.”  That’s what you’re doing when you rename your admin folder … making it more difficult for your admin area to be hacked because it’s harder for the hackers to find.

When you choose an admin folder name, it should be something you can remember easily but should be hard for someone else to guess.  Let’s look at some examples:

  1. Some might be easy to guess:  myadmin, zen_admin, administrator
  2. Some might be hard to remember:  Tx97Gz, uuu_77x
  3. Some might be easy to remember and hard to guess.  If you have 2 children, 3 dogs and your street address is 429 Maple St, then an admin folder name of kids2dogs3_429 would satisfy both requirements.

Think of your admin folder’s name as a first-level password that you use to access your site.

Nov 162012
 

Your store is based on Zen Cart v1.5.0 or later and you’ve used your admin’s Admin Access Management -> Admin Profiles to create a profile for some admin users that will have less than “Superuser” authority … let’s call that profile Manager.  Within the Manager profile, you give those users permission to access the admin_sample plugin.

The first time an admin user with the Manager profile tries to use the admin_sample plugin, they’re presented with the message:

Sorry, your security clearance does not allow you to access this resource.

When this happens, the first thing to check is the file that’s included with the plugin that defines the plugin’s filename, usually named something like /YOUR_ADMIN/includes/extra_datafiles/admin_sample_filenames.php.  You’re looking for a define that’s similar to:

  define(‘FILENAME_ADMIN_SAMPLE’, ‘admin_sample.php”);

The problem is the part highlighted in red; you’ll need to change that line to remove the .php portion:

  define(‘FILENAME_ADMIN_SAMPLE’, ‘admin_sample”);

Once that change is made, all your non-Superuser admin’s that should have access to the admin_sample tool will be able to use it.

P.S.  It would be a good thing to make a posting in the support thread of the plugin that you had to change to let the author and other users know of the situation!