Path-Based Cross-Site Scripting (XSS) Failure
Release Date: 10/11/2017
Summary: This patch fixes some security issues and is necessary for PCI compliance.
A PCI scanning service has identified some issues in AbleCommerce Gold relating to security. All versions of AbleCommerce Gold are at risk and should be patched. These are mandatory changes for PCI compliance.
ISSUES FIXED IN THIS PATCH
Cross-Site Scripting (XSS) Failure
Cross-Site Request Forgery (CSRF)
If an application's requests do not contain any token, the operation can be vulnerable to a Cross-Site Request Forgery (CSRF) attack.
Blind SQL injection vulnerability
When a web application uses user-supplied input parameters within SQL queries without first checking them for unexpected characters, it becomes possible for an attacker to manipulate the query. This type of attack is known as a SQL injection attack.
The provided patches are for specific builds of AbleCommerce. Before installing, make sure your installation is at the same build number listed below.
WAP Version - The patches are available for WSP version only. If you are using the WAP version, please review the changes and apply to your version accordingly. Changes are within the web.config, global.asax, and master layout files.
TO VERIFY THE DOWNLOAD:
a. Go to WinMD5.com or any other utility that can provide checksum validation.
b. Download and Run the utility.
c. Select the downloaded file.
d. In the field provided, past the original MD5 value provided by AbleCommerce help site, and click Verify.
e. If the validation fails, do NOT install the patch. Instead, contact support for help.
A division of Able Solutions Corporation - Vancouver, WA