Zen Cart® Minimum Requirements
Zen Cart® v1.5.0 requires a minimum of the following:
PHP 5.2.14 or higher
MySQL 4.1.3 or higher
Apache 2.0 or higher.
Apache configured with AllowOverride set to either 'All' or at least both 'Limit' and 'Indexes' parameters, and preferably the 'Options' parameter as well.
PHP configured to support CURL with OpenSSL
While Zen Cart® can run on Windows/IIS servers, Linux/Apache servers are recommended for best results, superior performance, and easier use by shopowners.
Whats New ...
The following improvements and bugfixes are included in v1.5.0 since v1.3.9:
CHANGE-12 - Numerous system changes to support PA-DSS compliance certification
Admin passwords now expire every 90 days, as per PA-DSS specification
Admin passwords now require a combination of letters and numbers, as well as uniqueness (cannot use already-used passwords)
Admin passwords can have a configurable length, but no less than 7 characters
Admin passwords also expire, for security reasons, when changing admin configuration from non-SSL mode to SSL mode.
Admin Profiles - is now built-in, with a significant number of additional features, and simpler to use.
Add basic admin Activity Log Viewer/Exporter tool
HTMLarea editor removed from core due to obsolescence. Use preferred plugin instead if similar functionality is required.
FCKeditor components removed from core due to obsolescence. CKEditor is the replacement editor by the same author. Switch to the new plugin if desiring to use this editor.
USPS module removed from core in favor of being an addon, due to the volatility of frequent changes made by USPS. The addon is available in the Free Addons section of the Zen Cart website.
CHANGE-12 - PA-DSS - prevent payment modules from ever storing more than 10 characters of sanitized CC numbers
CHANGE-12 - PA-DSS - prevent built-in "gateway" payment modules from functioning if the site is not protected by SSL
CHANGE-12 - PA-DSS - add admin detection of SSL mode change and auto-expire all passwords if SSL mode is enabled either with ENABLE_SSL_ADMIN or using an https address for HTTP_SERVER
CHANGE-12 - PA-DSS - add two-factor authentication hook in admin login
zc_install now treats supplied initial admin password (during install) as temporary ... requiring the admin user to select a new password at first login. This is to prevent abuse from password sniffing.
Incorporate TZ (timezone) support, with ability to override/disable simply by defining a DISABLE_MYSQL_TZ_SET constant. c/f http://www.zen-cart.com/forum/showthread.php?t=174346
PADSS-30 - Admin SSL now enabled by default in configure.php file if Enable-SSL is selected during zc_install
BUGSFORUM-1774 - Add 'secure' flag support for session cookie when site is running entirely in SSL
BUGSFORUM-1081 - Fixed: no default set for shipping radio buttons if module is disabled after previously selecting a shipping method
BUGSFORUM-1347 - Remove file-based session handling support due to security concerns and chicken/egg situation caused by garbage collection processes.
BUGSFORUM-1497 - Admin order totals section of orders.php page ignored currency-formatting display rules in some cases
BUGSFORUM-1550 - Fix occasional problem with "duplicate entry" in sessions table caused by some servers using longer session ID keys
BUGSFORUM-1558 - typefilter incorrect lookup problem in case of (unlikely) file-not-found scenario
BUGSFORUM-1554 - Shopping Cart Problems when updating product quantities for products with Max limit set
BUGSFORUM-1564 - orders_status wrongly set to 0 in rare cases
BUGSFORUM-1584 - no_picture.gif could be accidentally deleted if specified as an actual product image
BUGSFORUM-1589 - Fixed problem with some downloadable orders where an update of an order might set the number of days to a wrong value
CHANGE-151: Fix rounding and tax calculation issues in Cart/Order Class
CHANGE-90 - SECURITY: Fix Local File Inclusion Vulnerability
Whos_online - several improvements to allow the option to exclude spiders and/or admin IP's from the list of displayed results
Improvement: Developers Toolkit can now optionally search .js files too.
CHANGE-136 on new installs, DB_CHARSET now defaults to UTF8, not latin1
CHANGE-137 Removal(deactivation) of CDE payment modules when SSL disabled
BUGSFORUM-1592 - Fix rounding problems affecting coupon min-purchase eligibility calculations
CHANGE-70 - zc_install now checks whether .htaccess rules will work, and provides an alert if there's a problem.
BUGSFORUM-XXXX - PayPal improvements - allows Transaction ID to show on admin order confirmation emails for WPS, just like other payment modules do
BUGSFORUM-XXXX - PayPal - partial fix for bug where currency code not specified during partial refunds causes request to fail
BUGSFORUM-XXXX - PayPal - fixed bug where debug logging might happen even if switched off (caused by broader server-config issues)
BUGSFORUM-XXXX - PayPal - fix bug in Express Checkout where a shipping-override would still send a shipping phone number, causing a 10001 error without explanation.
BUGSFORUM-XXXX - PayPal - fix bug where EC button was removed from login page but left PayPal text prompts, resulting in confusion.
BUGSFORUM-XXXX - PayPal - Change to VPS-Timeout-90 instead of 45 at PayPal's request. This means customers might have to wait longer for transactions to complete, but will reduce timeout errors when PayPal's systems are slow.
BUGSFORUM-XXXX - PayPal - include product ID number on line-item details since is needed for order fulfillment
BUGSFORUM-1673 - PayPal - Fix minor html table syntax bug in paypal history details on admin orders screen
BUGSFORUM-1754 - PayPal - fix various rounding problems in all modules
BUGSFORUM-1760 - PayPal - Fix problems with Hungarian Forint and other 0-decimal currencies
BUGSFORUM-1926 - PayPal - Fix problem with attributes -- if a product had attributes, the product name was being replaced with attribute details, instead of being appended to
BUGSFORUM-1971 - PayPal - Trap cases where PayPal returns a blank address unexpectedly, and ask them to supply address details by creating an account
BUGSFORUM-1971 - PayPal - Minimize address matching issues which arise when storeowners rename their countries to non-ISO standard names (something they should not do)
BUGSFORUM-1892 - PayPal Express: Item details were shown as "Tax included in prices: 0 (0)"
BUGSFORUM-1959 - PayPal IPN and Express Checkout Missing free Items, or listing free items without description
BUGSFORUM-2024 - PayPal IPN - address-override alert might insert duplicate update notices in order status history
BUGSFORUM-2151 - Paypal - Error 10413 when redeeming Gift Certificates for amount greater than product-subtotal
CHANGE-164 - paypal logging not properly disabling consistently
BUGSFORUM-1613 - Media Manager Assign to Products wouldn't allow assigning of new products due to security change in 1.3.9h
Fix to admin customer search: search for new customers by customers_email_address to get correct customer and not everyone named Smith
Fixed display bug with category icons generating link to cPath=0 if cPath not set
Fix the display of Discount Coupons when a redemption code is applied so it is more readable by the customer
Fix Add to Cart to stay on listing when set to not display cart
Fixed coupon admin screen to land on correct page after adding new coupon
Various Admin pages: Fix pagination problems when changing status, searching, etc.
Improvement: Shorten CPU cycles on double-parsing an array needlessly in Authorize.net modules. Also improved sanitized debug output.
BUGSFORUM-1645 - Adding Featured Products ERROR Warning Warning: Product ID already on Special
Admin products-to-categories copier: Add additional message for clarity when Copy to categories_id is invalid but allow for obscure usage
Fixed bug on Order History going to page not found when set to not display cart
Fix: restore shopping cart products in the order they were added
BUGSFORUM-1662 - Gift Certificates Will Not Release
Fixed Error message when restricting coupons
Fixed hard-coded table names which should have been using constants, to allow for prefixes properly.
Fix problems with the word "search" in spiders.txt
Admin orders page now passes unformatted value back for availability to customizations which want to redisplay the values differently.
BUGSFORUM-1696 - clear COUPON_GV_QUEUE when deleting an order
BUGSFORUM-1681 - fix links in GV mails
BUGSFORUM-1689 - email validation regex improvements
BUGSFORUM-1634 - Bugfix: Prevent loading of non-PHP files in some admin autoloading routines
BUGSFORUM-1650 - sanitize whosonline output
Downloads - improvements and addition of support for IE9
BUGSFORUM-1708 - Combine class methods to reduce chance of race conditions and add error suppression to filemtime
Fix potential GZIP error if server configuration is overly generic
CHANGE-74 Sanitization
VARIOUS changes made to admin/catalog page forms to protect against CSRF using security token
VARIOUS changes for date fields to be handled consistently and to remove some pre-quoting which was breaking bindVars
CHANGE-102 Fix broken error checking in SQLPatch tool
CHANGE-128 obscure sql injection fix
CHANGE-135 add default value to zen_draw_pull_down_menu call to stop the value being drawn from the GLOBALS array and tested as a string.
CHANGE-138 Set CURL Proxy Status to FALSE by default, and remove from display since it's now deprecated
CHANGE-139 fix sprintf() error when generating an outgoing email notification caused by language file refinement
CHANGE-142 fix tax calculation
CHANGE-143 fix sidebox query to ensure a correct limit statement is built, if necessary
CHANGE-143 catch SQL errors and output generic message to user and write message to log instead
CHANGE-144 XSS mitigation for admin forms -- adds logging for inputs flagged as "rogue" by blacklist algorithm.
CHANGE-145+146 Blank values for various Maximum Values settings causes PHP errors
CHANGE-147 zc_install was throwing warning for MySQL versions over 5.2
BUGSFORUM-1709 Fix extraneous products_id in url
BUGSFORUM-1783 Fix Virtual Product defaults for all core Product Types
BUGSFORUM-1798 Preview icon was linked directly to product-general type. Now linked to the product type handler, allowing correct language defines to be loaded when previewing a product via this icon.
BUGSFORUM-1862 status filter not retaining state, restrict to first char for safety
BUGSFORUM-1754 change to calculate price/tax on zen_round(zen_add_tax(price,rate)*quantity, decimals)
BUGSFORUM-1696 SQL error due to non-matching field name
BUGSFORUM-1907 Fix ambiguous description on admin search switch
BUGSFORUM-1905 Adjust schema to handle ipv6 addresses
BUGSFORUM-1949 various ISO country updates
BUGSFORUM-1973 Downloads might deliver an empty file if readfile() is disabled in PHP and symlink support is off
BUGSFORUM-2046 HTML Entities not retained while editing via admin
CHANGE-159 - Remove Welcome-Email Preview from admin
BUGSFORUM-2038 Invalid email address formatting can cause ugly failure message without explanation
CHANGE-168 - Fix tax calculations for not-logged-in users, by defaulting to default country/zone just like it does for product listings
.htaccess - add safety around apache directives to prevent errors with poorly configured servers
Fix bug in properly detecting SSL mode with zen_redirect calls
Addressed SSL logoff scenario specific to shared SSL on shared hosting.
Fix email error handling - was only setting error info if the message succeeded, thus always blank.
Fix broken markup in admin layout-controller
add extra line-break before "spam" disclaimer in email footers
Disable language/currency sideboxes by default, to minimize some confusion
Fix some collation errors encountered during upgrades
CHANGE-160 - Various changes for basic compatibility with the proposed PHP 5.4 specifications
CHANGE-175 - Fix Maximum limit to manage merge of cart on login
CHANGE-176 - Fix Text Required to allow for 0 to work as Required Text content
BUGSFORUM-2121 - zc_install - fixed broken link for help with disabling session.use_trans_sid in help text
Simplified the admin-directory-rename process: New installs now only require renaming the folder. No more special configure.php file edits!
CHANGE-186 - Removed Tell A Friend feature
BUGSFORUM-2138 - stripslash keyword in first parsing of search keywords, to protect against broken sql resulting in blank page
BUGSFORUM-2140 - fix problem with metatag deletion where multiple languages exist
BUGSFORUM-2150 - PHP Warning: strlen() expects parameter 1 to be string
BUGSFORUM-2175 - fix XSS issue reported by intermittent PCI scans
CHANGE-190 - fix constants from discount coupon to gv
And all the security fixes and bugfixes from prior versions
CHANGELOG - List of Changed Files
For a list of files that have been changed since v1.3.9h, see the changed_files-v1-5-0.html
Upgrade Instructions from v1.3.9
HOW TO UPGRADE Please follow the instructions in the "how to upgrade " documentation in the /docs folder of the Zen Cart® files.
Upgrading Addons or Custom Code
If you are attempting to upgrade custom code or addons written for prior versions, you may find this tutorial article helpful: http://tutorials.zen-cart.com/index.php?article=410
A Word About UTF-8 vs iso-8859-1
Please see this online article for guidance on upgrading old sites from iso-8859-1 to utf8
*** SERVER CONFIGURATION REQUIREMENT ***
For added security, Zen Cart® comes with several .htaccess files already included in various folders to help provide protection against unwanted visitors
and even against mis-use of your site in the unfortunate situation of your site being hacked. These protections prevent hackers from using your site as phishing sources.
However, for these built-in protections to work, your web hosting server administrator MUST set the AllowOverride directive
in the server's apache configuration (the server's master httpd.conf file) to "All" or at least ensure it includes these parameters: 'Limit Indexes'.
ie: AllowOverride All (NOTE: You must also add "Options" if uncommenting OPTIONS directives in your .htaccess files) 500 Internal Server Error " messages when attempting to access various parts of your site, including perhaps the zc_install installer script.
Storeowners hosting on Windows Servers using IIS instead of Apache may need to remove the .htaccess files and rework them into suitable equivalents within your IIS configuration. See Microsoft's IIS website for specific assistance.
ADDITIONAL NOTE ABOUT .htaccess FILES
Inside some folders is an .htaccess file that lists certain *permitted* filetypes which may be accessed. (Anything else is blocked to prevent abuse on your site).
The side-effect of this is that if you choose to use media types that are not already listed in the *permitted* list, then your visitors will not be able to see those resources.
Thus, if you are using product images that are not in the list of permitted types in your /images/.htaccess, you will need to add those types to the list.
Similarly, if you are using certain media types in music product previews, you will need to make sure those are in your /media/.htaccess
And, if you are using filetypes for downloadable products that are not already listed in your /pub/.htaccess and /download/.htaccess you will need to add those as well.
BluePink