Zen Cart version 1.5 BETA released and ready for testing

A couple of days ago, the Zen Cart team shared the beta release of Zen Cart 1.5.  What’s really exciting about this version is that, following final code certification, it will make Zen Cart the first free Open Source Ecommerce Solution that is fully PA-DSS certified.  As well as the numerous changes to support PA-DSS compliance certification, there are a large number of enhancements and bug fixes.

Do NOT implement this version in a live shop during the BETA phase. However, if you are able to install this new version in a test environment, you are encouraged to provide details of any bugs found in the Zen Cart Bug Reports thread on the Zen Cart Support Forum.

The following information is available from the Readme file in the download:

Numerous system changes to support PA-DSS compliance certification

  • Admin passwords now expire every 90 days, as per PA-DSS specification
  • Admin passwords now require a combination of letters and numbers, as well as uniqueness (cannot use already-used passwords)
  • Admin passwords can have a configurable length, but no less than 7 characters
  • Admin passwords also expire, for security reasons, when changing admin configuraton from non-SSL mode to SSL mode
  • Admin Profiles – is now built-in, with a significant number of additional features, and simpler to use
  • Add basic admin Activity Log Viewer/Exporter tool
  • CHANGE-12 – PA-DSS – prevent payment modules from ever storing more than 10 characters of sanitized CC numbers
  • CHANGE-12 – PA-DSS – prevent built-in "gateway" payment modules from functioning if the site is not protected by SSL
  • CHANGE-12 – PA-DSS – add admin detection of SSL mode change and auto-expire all passwords if SSL mode is enabled either with ENABLE_SSL_ADMIN or using an https address for HTTP_SERVER
  • CHANGE-12 – PA-DSS – add two-factor authentication hook in admin login
  • PADSS-30 – Admin SSL now enabled by default in configure.php file if Enable-SSL is selected during zc_install



  • HTMLarea editor removed from core due to obsolescence. Use preferred plugin instead if similar functionality is required.
  • FCKeditor components removed from core due to obsolescence. CKEditor is the replacement editor by the same author. Switch to the new plugin if desiring to use this editor.
  • USPS module removed from core in favor of being an addon, due to the volatility of frequent changes made by USPS. The addon is available in the Free Addons section of the Zen Cart website.
  • zc_install now treats supplied initial admin password (during install) as temporary … requiring the admin user to select a new password at first login. This is to prevent abuse from password sniffing.
  • Add extra line-break before "spam" disclaimer in email footers.
  • CHANGE-102 Fix broken error checking in SQLPatch tool
  • CHANGE-128 obscure sql injection fix
  • CHANGE-135 add default value to zen_draw_pull_down_menu call to stop the value being drawn from the GLOBALS array and tested as a string.
  • CHANGE-138 Set CURL Proxy Status to FALSE by default, and remove from display since it’s now deprecated
  • CHANGE-139 fix sprintf() error when generating an outgoing email notification caused by language file refinement
  • CHANGE-142 fix tax calculation
  • CHANGE-143 fix sidebox query to ensure a correct limit statement is built, if necessary
  • CHANGE-143 catch SQL errors and output generic message to user and write message to log instead
  • CHANGE-144 XSS mitigation for admin forms — adds logging for inputs flagged as "rogue" by blacklist algorithm.
  • CHANGE-145+146 Blank values for various Maximum Values settings causes PHP errors
  • CHANGE-147 zc_install was throwing warning for MySQL versions over 5.2
  • CHANGE-151: Fix rounding and tax calculation issues in Cart/Order Class
  • CHANGE-90 – SECURITY: Fix Local File Inclusion Vulnerability
  • Whos_online – several improvements to allow the option to exclude spiders and/or admin IP’s from the list of displayed results
  • Improvement: Developers Toolkit can now optionally search .js files too.
  • CHANGE-136 on new installs, DB_CHARSET now defaults to UTF8, not latin1
  • CHANGE-137 Removal(deactivation) of CDE payment modules when SSL disabled
  • CHANGE-70 – zc_install now checks whether .htaccess rules will work, and provides an alert if there’s a problem.
  • CHANGE-74 Sanitization
  • VARIOUS changes made to admin/catalog page forms to protect against CSRF using security token
  • VARIOUS changes for date fields to be handled consistently and to remove some pre-quoting which was breaking bindVars
  • .htaccess – add safety around apache directives to prevent errors with poorly configured servers
  • Disable language/currency sideboxes by default, to minimize some confusion
  • Fix some collation errors encountered during upgrades
  • Admin products-to-categories copier: Add additional message for clarity when Copy to categories_id is invalid but allow for obscure usage
  • Admin orders page now passes unformatted value back for availability to customizations which want to redisplay the values differently.
  • Incorporate TZ (timezone) support, with ability to override/disable simply by defining a DISABLE_MYSQL_TZ_SET constant. c/f http://www.zen-cart.com/forum/showthread.php?t=174346
  • Improvement: Shorten CPU cycles on double-parsing an array needlessly in Authorize.net modules. Also improved sanitized debug output.


Bug Fixes

  • BUGSFORUM-1774 – Add ‘secure’ flag support for session cookie when site is running entirely in SSL
  • BUGSFORUM-1081 – Fixed: no default set for shipping radio buttons if module is disabled after previously selecting a shipping method
  • BUGSFORUM-1347 – Remove file-based session handling support due to security concerns and chicken/egg situation caused by garbage collection processes
  • BUGSFORUM-1497 – Admin order totals section of orders.php page ignored currency-formatting display rules in some cases
  • BUGSFORUM-1550 – Fix occasional problem with "duplicate entry" in sessions table caused by some servers using longer session ID keys
  • BUGSFORUM-1558 – typefilter incorrect lookup problem in case of (unlikely) file-not-found scenario
  • BUGSFORUM-1554 – Shopping Cart Problems when updating product quantities for products with Max limit set
  • BUGSFORUM-1564 – orders_status wrongly set to 0 in rare cases
  • BUGSFORUM-1584 – no_picture.gif could be accidentally deleted if specified as an actual product image
  • BUGSFORUM-1589 – Fixed problem with some downloadable orders where an update of an order might set the number of days to a wrong value
  • BUGSFORUM-XXXX – PayPal improvements – allows Transaction ID to show on admin order confirmation emails for WPS, just like other payment modules do
  • BUGSFORUM-XXXX – PayPal – partial fix for bug where currency code not specified during partial refunds causes request to fail
  • BUGSFORUM-XXXX – PayPal – fixed bug where debug logging might happen even if switched off (caused by broader server-config issues)
  • BUGSFORUM-XXXX – PayPal – fix bug in Express Checkout where a shipping-override would still send a shipping phone number, causing a 10001 error without explanation.
  • BUGSFORUM-XXXX – PayPal – fix bug where EC button was removed from login page but left PayPal text prompts, resulting in confusion.
  • BUGSFORUM-XXXX – PayPal – fix various rounding problems in all modules
  • BUGSFORUM-XXXX – PayPal – Change to VPS-Timeout-90 instead of 45 at PayPal’s request. This means customers might have to wait longer for transactions to complete, but will reduce timeout errors when PayPal’s systems are slow.
  • BUGSFORUM-XXXX – PayPal – include product ID number on line-item details since is needed for order fulfilment
  • BUGSFORUM-1673 – PayPal – Fix minor html table syntax bug in PayPal history details on admin orders screen
  • BUGSFORUM-1760 – PayPal – Fix problems with Hungarian Forint and other 0-decimal currencies
  • BUGSFORUM-1926 – PayPal – Fix problem with attributes — if a product had attributes, the product name was being replaced with attribute details, instead of being appended to
  • BUGSFORUM-1971 – PayPal – Trap cases where PayPal returns a blank address unexpectedly, and ask them to supply address details by creating an account
  • BUGSFORUM-1971 – PayPal – Minimize address matching issues which arise when storeowners rename their countries to non-ISO standard names (something they should not do)
  • BUGSFORUM-1892 – PayPal Express: Item details were shown as "Tax included in prices: 0 (0)"
  • BUGSFORUM-1959 – PayPal IPN and Express Checkout Missing free Items, or listing free items without description
  • BUGSFORUM-2024 – PayPal IPN – address-override alert might insert duplicate update notices in order status history
  • BUGSFORUM-1613 – Media Manager Assign to Products wouldn’t allow assigning of new products due to security change in 1.3.9h
  • BUGSFORUM-1696 – clear COUPON_GV_QUEUE when deleting an order
  • BUGSFORUM-1681 – fix links in GV mails
  • BUGSFORUM-1689 – email validation regex improvements
  • BUGSFORUM-1634 – Bugfix: Prevent loading of non-PHP files in some admin autoloading routines
  • BUGSFORUM-1650 – sanitize whosonline output
    Downloads – improvements and addition of support for IE9
  • BUGSFORUM-1708 – Combine class methods to reduce chance of race conditions and add error suppression to filemtime
  • BUGSFORUM-1645 – Adding Featured Products ERROR Warning Warning: Product ID already on Special
  • BUGSFORUM-1709 Fix extraneous products_id in url
  • BUGSFORUM-1783 Fix Virtual Product defaults for all core Product Types
  • BUGSFORUM-1798 Preview icon was linked directly to product-general type. Now linked to the product type handler, allowing correct language defines to be loaded when previewing a product via this icon.
  • BUGSFORUM-1862 status filter not retaining state, restrict to first char for safety
  • BUGSFORUM-1754 change to calculate price/tax on zen_round(zen_add_tax(price,rate)*quantity, decimals)
  • BUGSFORUM-1696 SQL error due to non-matching field name
  • BUGSFORUM-1907 Fix ambiguous description on admin search switch
  • BUGSFORUM-1905 Adjust schema to handle ipv6 addresses
  • BUGSFORUM-1949 various ISO country updates
  • BUGSFORUM-1973 Downloads might deliver an empty file if readfile() is disabled in PHP and symlink support is off
  • BUGSFORUM-1592 – Fix rounding problems affecting coupon min-purchase eligibility calculations
  • Fix bug in properly detecting SSL mode with zen_redirect calls
  • Addressed SSL logoff scenario specific to shared SSL on shared hosting.
  • Fix email error handling – was only setting error info if the message succeeded, thus always blank.
  • Fix broken markup in admin layout-controller
  • Fixed bug on Order History going to page not found when set to not display cart
  • Fix: restore shopping cart products in the order they were added
  • BUGSFORUM-1662 – Gift Certificates Will Not Release
  • Fixed Error message when restricting coupons
  • Fixed hard-coded table names which should have been using constants, to allow for prefixes properly.
  • Fix problems with the word "search" in spiders.txt
  • Fix to admin customer search: search for new customers by customers_email_address to get correct customer and not everyone named Smith
  • Fixed display bug with category icons generating link to cPath=0 if cPath not set
  • Fix the display of Discount Coupons when a redemption code is applied so it is more readable by the customer
  • Fix Add to Cart to stay on listing when set to not display cart
  • Fixed coupon admin screen to land on correct page after adding new coupon
  • Various Admin pages: Fix pagination problems when changing status, searching, etc.
  • Fix potential GZIP error if server configuration is overly generic

And all the security fixes and bugfixes from prior versions.


  1. No comments yet.
(will not be published)

Notify me of followup comments via e-mail. You can also subscribe without commenting.