Archive for the ‘News Updates’ Category

The Zen Cart development team has released a new version 1.5.5.  It is not PA DSS certified like version 1.5.4 which EVERYONE should be running.  Older versions of Zen Cart are not PCI compliant for collecting credit card payments, so if your current version is less than 1.5.4, you certainly need to upgrade to protect you and your clients.  I personally see no reason to upgrade to 1.5.5 if you are running 1.5.4.  If you are running a version PRIOR to 1.5.4, you should upgrade as soon as possible.

To check what version you are running, go to your admin Tools>Server / Version Info and below the server information you should see the version you are running.

As usual, we will be doing upgrades in the order received.  Pricing depends upon two things:  1) What version of Zen Cart you are running and 2) how many modifications you have installed.

If you do not know all the modifications you have installed, prior to placing your order, please fill out this form and I will go take a peek in your admin and at your files to let you know what mods you have and need to order.  It is IMPORTANT that you fill out the form ACCURATELY and test the info before sending it to me.  All mods are 30% off when doing an upgrade when you use coupon code ModsUpgrade when you check out.

There are many things that the latest version of Zen Cart has.  I am listing a few for you:
1.  Template Default will now be responsive for mobile phones and tablets.
2.  All known security and bug fixes will be incorporated
3.  Order details now to show on checkout-success page after customer has completed their order
4.  PayPal Checkout has been updated to support newer capabilities
5.  Error logging has been improved for troubleshooting any problems
6.  PHP7 and MySQL 5.7 capabilities
7.  Ability to reset the customer’s password in your Admin
8.  Automated currency updating via new cron code
9.  phpMailer Integration
10. Added hooks to allow for 3rd-party-handling of taxes
11. Multiple updates to payment modules

There are MANY MORE improvements in the new version, these are just a few.  My personal favorite that I think store owners are going to really like is #7 – the ability to reset the customer’s password in the admin.  Unfortunately this doesn’t send the password to the customer… but you can easily tell them over the phone or via email what the new password is.

By visiting the zen cart website here, you can see a complete list of the updates made in this version.   You can get in line for your upgrade by going to our website and ordering the correct item that you need.

ALL VERSIONS of ZEN CART are affected

This security fix is regarded as low risk because hacker would need to have admin access.  However, it is always important to have all security fixes installed, whether valued as low or high risk.

“In a Nutshell” DETAILS

The popup page for additional images e.g. index.php?main_page=popup_image_additional accepts a GET parameter for products_image_large_additional.

Using a crafted URL an attacker can determine (via the html returned) whether a specific file exists on the server.  This flaw does not indicate the attacker can ACCESS the file, just find out if it exists on the server.

If you would like for us to install this fix on your website, please visit this page. Our charge is $25.

If you want more technical details or would like to install this fix yourself, instructions are included on the official Zen Cart website.

Responsive Template Design

In April 2015, Google announced that sites that do not have a responsive design that works with phones and tablets would not be indexed in their google mobile index.  Because more people are using mobile devices such as phones and tablets to access the internet, it is important that your website has a responsive design.

Whether you want a completely new, fresh Zen Cart template design or just want your current template updated to be responsive, we are happy to help you.

Summer Special – Zen Cart Upgrade Discount

It is ALWAYS in the your best interest and especially your customers best interest that you have the latest version of any software on your website.  This especially applies to a software like Zen Cart that requires maximum security for collecting payment.

We are having a Summer special where, if you hire us to do a NEW responsive design for you, we will also upgrade your Zen Cart at half price.  By using coupon code ModsUpgrade when you place your order, you will also receive an additional 30% discount to upgrade any mods that are currently installed as well as adding new mods you might want!  This adds up to a savings of $125-$250 depending upon what version of Zen Cart you are running.  The latest, PCI compliant version is 1.5.4.  Here is a link to order

If you do not know all of the mods you may have installed, please contact us via email or phone (816-550-1900) and, after being given access to your admin, I can log in to your admin and give you a list.

We always try to install the following modules at no charge:

1.  Backup MySql Database (some servers will reject this)
2.  Latest Version of CK Editor
3.  UPS and USPS latest versions (if already installed)

This special is running through the summer only so get your order in and get on the schedule now if you want to take advantage of this savings.


We have received word that is switching to using Akamai services to interface with their current system in order to avoid future downtime when they are performing maintenance actions and updates.

Because of the seamless way they’re implementing the changes, you could easily make NO changes to your Zen Cart files and things will work just fine.  There may be a delay and some downtime when they do updates, but that should be minimal and probably not any different from what your site already experiences.

To see if you are using, in your Zen Cart admin go to Modules>Payment and look at the top two lines and see if you have a green light to the right of them.  If you do, you are using  If the buttons are red, you are NOT using

If you wish to make the changes is suggesting in order to benefit from their updates sooner and avoid downtime during maintenance, there is a small change that needs to be made in your Zen Cart files.  If you want to do this yourself, you can find information on what to change at the Zen Cart website here

If you would like for us to make this change for you, our charge is $25 which is our minimum troubleshooting charge.  Please be SURE to click the blue button on the checkout success page to go to our data collection site and correctly fill out the Module Installation form if you place an order for us to perform the work for you.

USPS Shipping Module for Zen Cart

USPS has released a new update for those of you who use USPS shipping on your website.  (to check if you use USPS, in your admin mouse over Modules, click on Shipping and see if there is a green button to the right of USPS).

While I am sure the following list is in no way comprehensive, below are some of the changes I have dug around to find:

This update includes rate increases and changes to Extra Services (EG:  certified mail, insurance, etc.)

First class domestic package rate has increased.

Priority Mail® International and Priority Mail Express® International prices have increased. The prices for Priority Mail International to Canada will be determined based upon Zone, not just weight.

Linda, one of the Zen Cart developers, just released a new update  if you are able to install the module yourself.

If you use USPS as a shipping module, it should be updated.  If you need us to install the update you may order it from our website here.  As usual, installs are done in the order they are received.  If you cannot figure out if you have USPS installed or not, I can check it for you, but you will have to order from the link above and if you do NOT have USPS installed, this will not be refunded as my minimum troubleshooting charge is more than this update.

Also very important… when you check out – PLEASE click on the graphic on the checkout success page that says to go to a secure form to input your information so we can access your server and your admin. Once to our data collection site, please click on Module Installation.  It is important that you enter the correct info, so as to not delay things. announced that it would be disallowing SSLv3 connections on November 4, 2014 due to the POODLE vulnerability that was discovered.

PayPal issued a statement to account holders today that it would begin (again) disallowing SSLv3 connections on December 3rd, 2014.

This solution provided by the Zen Cart development team is to modify files so that no SSL version is specified a higher level of SSL can be negotiated from your Zen Cart website.

If you need help with modification of the files, we will be happy to revise them for you so your Zen Cart payment modules work properly.  Our charge for this fix is $50. 

If you have USPS installed, changes were made by USPS and a new version was released on 11/2/14.  This new version includes returning rates for First Class Large Envelope as well as the fix for the POODLE vulnerability.  If you have us change the files, please indicate in the comments section of your order that you want USPS updated and we will do it for no charge since we will be doing the POODLE fix on the other files.

zclogoThe developers of Zen Cart have officially released a new version with many bug fixes and a few improvements to the core.

This version is not yet PA DSS certified, but is in the process of getting certified.  Once it becomes certified, I believe it will be receiving a new version number.

If you are running 1.3X for your online store, you really need to upgrade not only to protect YOU but your customers as well.

If you need help with upgrading your website, we are happy to do it for you.  Visit our Zen Cart Upgrade section on our website for details and pricing.



USPS Update for 1/27/13

This updates is only for those people using USPS – due to the rate increases, a new modification had to be written by Linda, one of the zen cart developers. She released that mod on Jan. 26th.

If you are comfortable installing mods, you can download this update from the Zen Cart Website.

If you need for us to install this update for you, please feel free to order it from the link below. Cost is $20.

Also very important… when you check out – please click on the graphic on the checkout success page that says to go to a secure form to input your information so we can access your server and your admin.. You will choose the Module Installation Link

Please, PLEASE make sure you give us your CORRECT cpanel/ ftp/ admin info to install this mod. TEST the info prior to filling out the form please. If the info you send is incorrect, it takes extra time to email and start all over again. We will be filling orders as they come in… and if your info is incorrect, you will go back to the “end of the line”.

If you are hosted on our server, we need your cpanel login / password because we no longer can use secondary ftp accounts for PCI compliance. If you do not know your password, just put the word RESET in the password box and we will reset it.

We will be installing the mod starting tomorrow (1/27) for those that need us to install it for them


Judy and Tommy Gunderson

Effective January 22, 2012, USPS has changed coding which required a new USPS patch to be written for zen cart.

You can download this patch from the zen cart website Should you choose to install it yourself, be sure to read the directions that are given on how to proceed to get the mod to work properly.

You can also have zen cart experts install it for you by visiting Zen Cart Ecommerce Website Design

Be sure after placing your order that you click the button for modification installation to be taken to a secure form to give us the info we would need to install the patch.

This patch will work on versions 1.3.8, 1.3.9 and 1.5.0. We HIGHLY advise that if you are using version 1.3.8, you have your site upgraded to 1.3.9H immediately to protect your clients and sensitive information. Zen Cart version 1.3.8 is no longer PCI Compliant, nor is it considered secure and is constantly being targeted by hackers.

Zen Cart 1.5.0 Official Release
Published: Saturday 31 December, 2011

Release of Zen Cart 1.5.0
At the end of July of this year, the Zen Cart developers released a beta version of 1.5.0. Since that time the community has been installing and testing it to work out any bugs in the beta.

Today, the official version was released that is safe to use on a live store. One of the main reasons for this 1.5.0 release is in becoming PA DSS certified. PA DSS (Payment Application Data Security Standards) certification is important in the area of PCI compliance when accepting credit cards online as well as in passing stringent testing for security holes so that hackers cannot breach the software. Zen Cart is the FIRST open source e-commerce software that has passed PA DSS certification! I was impressed with Zen Cart and the developers when I first starting using the software eight years ago – and continute to be impressed! Needless to say, I am thrilled to be a part of this open source community and to be able to help my clients have carts with top of the line software!

Below is some info from the developers about this new release:

Minimum Server Requirements:
PHP 5.2.14 or higher
MySQL 4.1.3 or higher
Apache 2.0 or higher.
Apache configured with AllowOverride set to either ‘All’ or at least both ‘Limit’ and ‘Indexes’ parameters, and preferably the ‘Options’ parameter as well.
PHP configured to support CURL with OpenSSL

While Zen Cart® can run on Windows/IIS servers, Linux/Apache servers are recommended for best results, superior performance, and easier use by shopowners.

What’s New In v1.5.0:
Updates include:
CHANGE-12 – Numerous system changes to support PA-DSS compliance certification
*Admin passwords now expire every 90 days, as per PA-DSS specification
*Admin passwords now require a combination of letters and numbers, as well as uniqueness (cannot use already-used passwords)
*Admin passwords can have a configurable length, but no less than 7 characters
*Admin passwords also expire, for security reasons, when changing admin configuration from non-SSL mode to SSL mode.
*Admin Profiles – is now built-in, with a significant number of additional features, and simpler to use.
*Add basic admin Activity Log Viewer/Exporter tool
HTMLarea editor removed from core due to obsolescence. Use preferred plugin instead if similar functionality is required.
FCKeditor components removed from core due to obsolescence. CKEditor is the replacement editor by the same author. Switch to the new plugin if desiring to use this editor.
USPS module removed from core in favor of being an addon, due to the volatility of frequent changes made by USPS. The addon is available in the Free Addons section of the Zen Cart website.
CHANGE-12 – PA-DSS – prevent payment modules from ever storing more than 10 characters of sanitized CC numbers
CHANGE-12 – PA-DSS – prevent built-in “gateway” payment modules from functioning if the site is not protected by SSL
CHANGE-12 – PA-DSS – add admin detection of SSL mode change and auto-expire all passwords if SSL mode is enabled either with ENABLE_SSL_ADMIN or using an https address for HTTP_SERVER
CHANGE-12 – PA-DSS – add two-factor authentication hook in admin login
zc_install now treats supplied initial admin password (during install) as temporary … requiring the admin user to select a new password at first login. This is to prevent abuse from password sniffing.
Incorporate TZ (timezone) support, with ability to override/disable simply by defining a DISABLE_MYSQL_TZ_SET constant. c/f
PADSS-30 – Admin SSL now enabled by default in configure.php file if Enable-SSL is selected during zc_install
BUGSFORUM-1774 – Add ‘secure’ flag support for session cookie when site is running entirely in SSL
BUGSFORUM-1081 – Fixed: no default set for shipping radio buttons if module is disabled after previously selecting a shipping method
BUGSFORUM-1347 – Remove file-based session handling support due to security concerns and chicken/egg situation caused by garbage collection processes.
BUGSFORUM-1497 – Admin order totals section of orders.php page ignored currency-formatting display rules in some cases
BUGSFORUM-1550 – Fix occasional problem with “duplicate entry” in sessions table caused by some servers using longer session ID keys
BUGSFORUM-1558 – typefilter incorrect lookup problem in case of (unlikely) file-not-found scenario
BUGSFORUM-1554 – Shopping Cart Problems when updating product quantities for products with Max limit set
BUGSFORUM-1564 – orders_status wrongly set to 0 in rare cases
BUGSFORUM-1584 – no_picture.gif could be accidentally deleted if specified as an actual product image
BUGSFORUM-1589 – Fixed problem with some downloadable orders where an update of an order might set the number of days to a wrong value
CHANGE-151: Fix rounding and tax calculation issues in Cart/Order Class
CHANGE-90 – SECURITY: Fix Local File Inclusion Vulnerability
Whos_online – several improvements to allow the option to exclude spiders and/or admin IP’s from the list of displayed results
Improvement: Developers Toolkit can now optionally search .js files too.
CHANGE-136 on new installs, DB_CHARSET now defaults to UTF8, not latin1
CHANGE-137 Removal(deactivation) of CDE payment modules when SSL disabled
BUGSFORUM-1592 – Fix rounding problems affecting coupon min-purchase eligibility calculations
CHANGE-70 – zc_install now checks whether .htaccess rules will work, and provides an alert if there’s a problem.
BUGSFORUM-XXXX – PayPal improvements – allows Transaction ID to show on admin order confirmation emails for WPS, just like other payment modules do
BUGSFORUM-XXXX – PayPal – partial fix for bug where currency code not specified during partial refunds causes request to fail
BUGSFORUM-XXXX – PayPal – fixed bug where debug logging might happen even if switched off (caused by broader server-config issues)
BUGSFORUM-XXXX – PayPal – fix bug in Express Checkout where a shipping-override would still send a shipping phone number, causing a 10001 error without explanation.
BUGSFORUM-XXXX – PayPal – fix bug where EC button was removed from login page but left PayPal text prompts, resulting in confusion.
BUGSFORUM-XXXX – PayPal – Change to VPS-Timeout-90 instead of 45 at PayPal’s request. This means customers might have to wait longer for transactions to complete, but will reduce timeout errors when PayPal’s systems are slow.
BUGSFORUM-XXXX – PayPal – include product ID number on line-item details since is needed for order fulfillment
BUGSFORUM-1673 – PayPal – Fix minor html table syntax bug in paypal history details on admin orders screen
BUGSFORUM-1754 – PayPal – fix various rounding problems in all modules
BUGSFORUM-1760 – PayPal – Fix problems with Hungarian Forint and other 0-decimal currencies
BUGSFORUM-1926 – PayPal – Fix problem with attributes — if a product had attributes, the product name was being replaced with attribute details, instead of being appended to
BUGSFORUM-1971 – PayPal – Trap cases where PayPal returns a blank address unexpectedly, and ask them to supply address details by creating an account
BUGSFORUM-1971 – PayPal – Minimize address matching issues which arise when storeowners rename their countries to non-ISO standard names (something they should not do)
BUGSFORUM-1892 – PayPal Express: Item details were shown as “Tax included in prices: 0 (0)”
BUGSFORUM-1959 – PayPal IPN and Express Checkout Missing free Items, or listing free items without description
BUGSFORUM-2024 – PayPal IPN – address-override alert might insert duplicate update notices in order status history
BUGSFORUM-2151 – Paypal – Error 10413 when redeeming Gift Certificates for amount greater than product-subtotal
CHANGE-164 – paypal logging not properly disabling consistently
BUGSFORUM-1613 – Media Manager Assign to Products wouldn’t allow assigning of new products due to security change in 1.3.9h
Fix to admin customer search: search for new customers by customers_email_address to get correct customer and not everyone named Smith
Fixed display bug with category icons generating link to cPath=0 if cPath not set
Fix the display of Discount Coupons when a redemption code is applied so it is more readable by the customer
Fix Add to Cart to stay on listing when set to not display cart
Fixed coupon admin screen to land on correct page after adding new coupon
Various Admin pages: Fix pagination problems when changing status, searching, etc.
Improvement: Shorten CPU cycles on double-parsing an array needlessly in modules. Also improved sanitized debug output.
BUGSFORUM-1645 – Adding Featured Products ERROR Warning Warning: Product ID already on Special
Admin products-to-categories copier: Add additional message for clarity when Copy to categories_id is invalid but allow for obscure usage
Fixed bug on Order History going to page not found when set to not display cart
Fix: restore shopping cart products in the order they were added
BUGSFORUM-1662 – Gift Certificates Will Not Release
Fixed Error message when restricting coupons
Fixed hard-coded table names which should have been using constants, to allow for prefixes properly.
Fix problems with the word “search” in spiders.txt
Admin orders page now passes unformatted value back for availability to customizations which want to redisplay the values differently.
BUGSFORUM-1696 – clear COUPON_GV_QUEUE when deleting an order
BUGSFORUM-1681 – fix links in GV mails
BUGSFORUM-1689 – email validation regex improvements
BUGSFORUM-1634 – Bugfix: Prevent loading of non-PHP files in some admin autoloading routines
BUGSFORUM-1650 – sanitize whosonline output
Downloads – improvements and addition of support for IE9
BUGSFORUM-1708 – Combine class methods to reduce chance of race conditions and add error suppression to filemtime
Fix potential GZIP error if server configuration is overly generic
CHANGE-74 Sanitization
VARIOUS changes made to admin/catalog page forms to protect against CSRF using security token
VARIOUS changes for date fields to be handled consistently and to remove some pre-quoting which was breaking bindVars
CHANGE-102 Fix broken error checking in SQLPatch tool
CHANGE-128 obscure sql injection fix
CHANGE-135 add default value to zen_draw_pull_down_menu call to stop the value being drawn from the GLOBALS array and tested as a string.
CHANGE-138 Set CURL Proxy Status to FALSE by default, and remove from display since it’s now deprecated
CHANGE-139 fix sprintf() error when generating an outgoing email notification caused by language file refinement
CHANGE-142 fix tax calculation
CHANGE-143 fix sidebox query to ensure a correct limit statement is built, if necessary
CHANGE-143 catch SQL errors and output generic message to user and write message to log instead
CHANGE-144 XSS mitigation for admin forms — adds logging for inputs flagged as “rogue” by blacklist algorithm.
CHANGE-145+146 Blank values for various Maximum Values settings causes PHP errors
CHANGE-147 zc_install was throwing warning for MySQL versions over 5.2
BUGSFORUM-1709 Fix extraneous products_id in url
BUGSFORUM-1783 Fix Virtual Product defaults for all core Product Types
BUGSFORUM-1798 Preview icon was linked directly to product-general type. Now linked to the product type handler, allowing correct language defines to be loaded when previewing a product via this icon.
BUGSFORUM-1862 status filter not retaining state, restrict to first char for safety
BUGSFORUM-1754 change to calculate price/tax on zen_round(zen_add_tax(price,rate)*quantity, decimals)
BUGSFORUM-1696 SQL error due to non-matching field name
BUGSFORUM-1907 Fix ambiguous description on admin search switch
BUGSFORUM-1905 Adjust schema to handle ipv6 addresses
BUGSFORUM-1949 various ISO country updates
BUGSFORUM-1973 Downloads might deliver an empty file if readfile() is disabled in PHP and symlink support is off
BUGSFORUM-2046 HTML Entities not retained while editing via admin
CHANGE-159 – Remove Welcome-Email Preview from admin
BUGSFORUM-2038 Invalid email address formatting can cause ugly failure message without explanation
CHANGE-168 – Fix tax calculations for not-logged-in users, by defaulting to default country/zone just like it does for product listings
.htaccess – add safety around apache directives to prevent errors with poorly configured servers
Fix bug in properly detecting SSL mode with zen_redirect calls
Addressed SSL logoff scenario specific to shared SSL on shared hosting.
Fix email error handling – was only setting error info if the message succeeded, thus always blank.
Fix broken markup in admin layout-controller
add extra line-break before “spam” disclaimer in email footers
Disable language/currency sideboxes by default, to minimize some confusion
Fix some collation errors encountered during upgrades
CHANGE-160 – Various changes for basic compatibility with the proposed PHP 5.4 specifications
CHANGE-175 – Fix Maximum limit to manage merge of cart on login
CHANGE-176 – Fix Text Required to allow for 0 to work as Required Text content
BUGSFORUM-2121 – zc_install – fixed broken link for help with disabling session.use_trans_sid in help text
Simplified the admin-directory-rename process: New installs now only require renaming the folder. No more special configure.php file edits!
CHANGE-186 – Removed Tell A Friend feature
BUGSFORUM-2138 – stripslash keyword in first parsing of search keywords, to protect against broken sql resulting in blank page
BUGSFORUM-2140 – fix problem with metatag deletion where multiple languages exist
BUGSFORUM-2150 – PHP Warning: strlen() expects parameter 1 to be string
BUGSFORUM-2175 – fix XSS issue reported by intermittent PCI scans
CHANGE-190 – fix constants from discount coupon to gv
The current version of Zen Cart – 1.3.9h – will continue to be supported for 6 months from today, per the developers.

At some point I will be trying to get a list of mods together that are working with 1.5.0. Right now…. it is “slim pickins” because of the stringent coding requirements for PA DSS certification.