Zen cart security vulnerability-anti-Black View

Www.2cto.com: Before sent: http://www.bkjia.com/Article/201206/134369.html
One of the most accepted website penetration tests and fixes by www.hhsafe.com under the red/Black alliance is zen cart, which has many problems.
Recently, a website was infiltrated and found the cause through APACHE log analysis. It uploads Trojans through the background upload function. This is because install a batch of the most uploaded plug-ins Easy Populate (I believe many people have installed some plug-ins ). Also, through the record_company.php file, these hackers are uploaded through the background.
Solution:
1. controls are required for the upload function
Easy Populate can be used to modify the upload directory in the background. This file must be written to the code and can only be uploaded to tempEP.
2. Delete the admin/record_company.php file.
3. Control images and tempEP directories. php cannot be executed. If a trojan is uploaded, the trojan program cannot be executed.
4. It is very important to remember to change the user name and password for background access. Some former departing employees may know the background logon password. If the above three points are met, he does not need to worry about the password.
5. The index. php and include Directory Controls are read-only. In case of a Trojan being uploaded, do not worry about redirection.
 
Other aspects:
 
Directory to be deleted
Root directory: Docs, extras, zc_install,install.txt, download, media, pub
Editors/fckeditor
 
Rm docs-fr
Rm extras-fr
Rm zc_install-fr
Rm install.txt-fr
Rm download-fr
Rm media-fr
Rm pub-fr
The download directory has been deleted. You need to execute this code to disable download.
Update 'zen _ configuration' set configuration_value = 'false' where 'Download _ enabled' = configuration_key