Upgrading to jQuery 3.3.1
Applies to: AbleCommerce Gold
(all versions)
Release Date: 12/03/2018
Summary: Two vulnerabilities found in jQuery versions earlier than 3.0
AbleCommerce Issue ID: AC8-3268
INFORMATION
A known security vulnerability has been identified in jQuery versions earlier than 3.0. For details, please see:
https://nvd.nist.gov/vuln/detail/CVE-2015-9251
The issue may be discovered by some PCI scanning services.
All versions of AbleCommerce Gold are at risk and should be patched. These are mandatory changes for PCI compliance.
ISSUES FIXED IN THIS UPGRADE
Cross-Site Scripting (XSS) attacks
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Denial of Service (DoS)
jQuery 3.0.0-rc.1 and before 3.0.0 is vulnerable to Denial of Service (DoS) due to removing a logic that lower-cased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit.
IMPORTANT MESSAGE
- Read this BEFORE upgrading to
a new version of jQuery.
If you are using any custom AbleCommerce plug-ins, or your own custom code, please read this important message before upgrading to jQuery 3.0.
Since jQuery is the most widely used JavaScript library, there is a risk of breaking existing customizations or features within your website. For instance, the AbleCommerce features that were impacted include the following:
1. TinyMCE HTML editor
2. Footable (ExGridView)
3. Admin help tooltips (hoverIntent.js)
4. jquery.equalheights
5. UvumiGallery and Fancybox plug in at Product display pages for
image gallery
6. jquery superfish (Admin menu)
7. DatePickers
9. Jquery based drop down buttons (admin search button in header)
10. selectbox plugin at different pages like batch edit categories
11. jquery.qtip plugin (preview order feature).
12. Color picker (Theme CSS editor).
If you know that you have plug-ins or customizations, then stop now, and check with your vendor or developer before applying this upgrade. He or she will need to check for jQuery version compatibility.
Downloads
The provided patches are for specific builds of AbleCommerce. Before installing, find your installation version and build number.
ABLECOMMERCE VERSION |
Download |
Gold R12 SR2 build 9476 |
jQuery_Patch_Gold_WSP_R12_AC8-3268.zip (for WSP versions only) MD5: 561316c3431fb05e1af38a75674b2904 jQuery_Patch_Gold_WAP_R12_AC8-3268.zip (for WAP versions only) MD5: 3443b6451fda2e0e61697fbdc0ff2f84 |
Gold R12 SR1 build 9266 |
The patch downloads linked above are compatible with AbleCommerce Gold R12 SR2 only. However, if you are planning to apply this patch to a version of AbleCommerce Gold that is older than SR2 build 9476, then you need to confirm Path-Based Cross-Site Scripting (XSS) Failure has been patched for your installation. The current patch includes some of the same files that were previously fixed for security updates. If you have not applied the XSS patch (Oct. 2017), then do that now before continuing. Alternatively, instructions are given below to apply this patch manually to any version of AbleCommerce Gold. |
Gold R11 SR1 build 8858 |
|
Gold R10 SR1 build 8620 |
DOWNLOAD INSTRUCTIONS:
Make a backup of your AbleCommerce installation
Download the applicable Gold Patch below for the version you are using.
Using the MD5 checksum number provided, you can verify the integrity of the download before extraction (see below). This step is optional to ensure the download is valid.
TO VERIFY THE DOWNLOAD:
a. Go to WinMD5.com or any other utility that can provide checksum validation.
b. Download and Run the utility.
c. Select the downloaded file.
d. In the field provided, past the original MD5 value provided by AbleCommerce help site, and click Verify.
e. If the validation fails, do NOT install the patch. Instead, contact support for help.
Extract the updated files to a temp folder.
APPLY THE UPGRADE:
Identify the type of installation that is running on the server.
If you haven't done so already, please make a backup of your AbleCommerce installation.
From within your temp folder, first, copy the updated files to the locations below within your installation:
..\Website\Admin\Admin.Master
..\Website\Admin\Admin.Master.cs
..\Website\Admin\Login.aspx
..\Website\Admin\Logout.aspx
..\Website\Admin\Utility\EditHtml.aspx
..\Website\Mobile\Members\PaymentTypes.aspx
..\Website\Mobile\ProductImages.aspx
The following 2 files include Anti-XSRF token updates from Path-Based Cross-Site Scripting (XSS) Failure security patch. Since this is not a cumulative patch, you need to have the first security patch installed before applying this one.
..\Website\Layouts\Base.Master.cs*
..\Website\Layouts\Fixed\Base.Master.cs*
Optionally, you can make a simple change to both of these files:
Open \Layouts\Base.Master.cs
On, or near line 85
Find string jquery = Page.ResolveUrl("~/Scripts/jquery-1.10.2.min.js");
Replace with string jquery = Page.ResolveUrl("~/Scripts/jquery-3.3.1.min.js");
Save.
Open \Layouts\Fixed\Base.Master.cs
On, or near line 51
Find string jquery = Page.ResolveUrl("~/Scripts/jquery-1.10.2.min.js");
Replace with string jquery = Page.ResolveUrl("~/Scripts/jquery-3.3.1.min.js");
Save.Next, upgrade jQuery by copying the three (3) files from ..\Website\Scripts\ to the same location within your installation:
..\Website\Scripts\jquery-3.3.1.min.js (new file)
..\Website\Scripts\jquery-migrate-3.0.1.min.js (new file)
..\Website\Scripts\jquery-ui-i18n.min.js (updated file)Manually remove the old jQuery by deleting the following files:
..\Website\Scripts\jquery-1.10.2.min.js
..\Website\Scripts\Mobile\photoswipe\jquery-1.6.4.min.jsRestart the website or application pool.