Path-Based Cross-Site Scripting (XSS) Failure


Applies to: AbleCommerce Gold

Release Date:  10/11/2017

Summary:  This patch fixes some security issues and is necessary for PCI compliance.

Update 11/8/17: This fix is now included in Service Release 2 for AbleCommerce Gold R12

Update 11/14/17:  Prior to this day, the patch created for Gold R12 SR1 had some unused code. The differences are in Base.master.cs, and all differences are related to "AntiXsrfUserName" variable and related checks. This variable and it's related calculations are removed in the patch dated 11/14/17.

Note: the original patch dated 10/11/17 is still valid and only contains unused code.  A new patch was produced that has this code removed, and it will now match the code for Gold R12 Service Release 2.

 

 

INFORMATION

A PCI scanning service has identified some issues in AbleCommerce Gold relating to security.  All versions of AbleCommerce Gold are at risk and should be patched.  These are mandatory changes for PCI compliance.

 

ISSUES FIXED IN THIS PATCH

Cross-Site Scripting (XSS) Failure

Browsers are capable of displaying HTML and executing JavaScript. If the application does not escape special characters in the input/output and reflects user input as is back to the browser, an adversary may be able to launch a Cross-Site Scripting (XSS) attack successfully.

Cross-Site Request Forgery (CSRF)

If an application's requests do not contain any token, the operation can be vulnerable to a Cross-Site Request Forgery (CSRF) attack.

Blind SQL injection vulnerability

When a web application uses user-supplied input parameters within SQL queries without first checking them for unexpected characters, it becomes possible for an attacker to manipulate the query. This type of attack is known as a SQL injection attack.


PREREQUISITES

The provided patches are for specific builds of AbleCommerce.  Before installing, make sure your installation is at the same build number listed below.

ABLECOMMERCE VERSION

Download

Gold R12 SR1 build 9266

Updated 11/14/17:

(new) New_Gold_XSS_Patch_WSP(Gold-R12SR1-9266).zip

MD5: 1af3cad112231bf6b774e5b8ed6b6751

Released 10/11/17:

(old) Gold_XSS_Patch_WSP(Gold-R12SR1-9266).zip

MD5: d61c8f931536560284641ccb79c28bec

Gold R11 SR1 build 8858

Gold_XSS_Patch_WSP(Gold-R11SR1-8858).zip

MD5: ab8e8fa95b340f010f1431cdccb09aa0

Gold R10 SR1 build 8620

Gold_XSS_Patch_WSP(Gold-R10SR1-8620).zip

MD5: ac97066d7fae2161bcbc8ece7327f3a5

 

WAP Version - The patches are available for WSP version only.  If you are using the WAP version, please review the changes and apply to your version accordingly.  Changes are within the web.config, global.asax, and master layout files.


INSTALLATION INSTRUCTIONS
:

  1. Make a backup of your AbleCommerce installation

  2. Download the applicable Gold Patch below for the version you are using.

  3. Using the MD5 checksum number provided, you can verify the integrity of the download before extraction (see below).  This step is optional to ensure the download is valid.

TO VERIFY THE DOWNLOAD:

a.  Go to WinMD5.com or any other utility that can provide checksum validation.

b.  Download and Run the utility.

c.  Select the downloaded file.

d.  In the field provided, past the original MD5 value provided by AbleCommerce help site, and click Verify.

e.  If the validation fails, do NOT install the patch.  Instead, contact support for help.

  1. Extract the updated files to a temp folder.  

  2. Open the README.doc and follow the instructions.

 

Copyright © 1994 - 2023 AbleCommerce.com, All rights Reserved | Privacy Policy

A division of Able Solutions Corporation, headquarters located in Vancouver, WA