Path-Based Cross-Site Scripting (XSS) Failure
Release Date: 10/11/2017
Summary: This patch fixes some security issues and is necessary for PCI compliance.
Update 11/8/17: This fix is now included in Service Release 2 for AbleCommerce Gold R12
Update 11/14/17: Prior to this day, the patch created for Gold R12 SR1 had some unused code. The differences are in Base.master.cs, and all differences are related to "AntiXsrfUserName" variable and related checks. This variable and it's related calculations are removed in the patch dated 11/14/17.
Note: the original patch dated 10/11/17 is still valid and only contains unused code. A new patch was produced that has this code removed, and it will now match the code for Gold R12 Service Release 2.
A PCI scanning service has identified some issues in AbleCommerce Gold relating to security. All versions of AbleCommerce Gold are at risk and should be patched. These are mandatory changes for PCI compliance.
ISSUES FIXED IN THIS PATCH
Cross-Site Scripting (XSS) Failure
Cross-Site Request Forgery (CSRF)
If an application's requests do not contain any token, the operation can be vulnerable to a Cross-Site Request Forgery (CSRF) attack.
Blind SQL injection vulnerability
When a web application uses user-supplied input parameters within SQL queries without first checking them for unexpected characters, it becomes possible for an attacker to manipulate the query. This type of attack is known as a SQL injection attack.
The provided patches are for specific builds of AbleCommerce. Before installing, make sure your installation is at the same build number listed below.
WAP Version - The patches are available for WSP version only. If you are using the WAP version, please review the changes and apply to your version accordingly. Changes are within the web.config, global.asax, and master layout files.
TO VERIFY THE DOWNLOAD:
a. Go to WinMD5.com or any other utility that can provide checksum validation.
b. Download and Run the utility.
c. Select the downloaded file.
d. In the field provided, past the original MD5 value provided by AbleCommerce help site, and click Verify.
e. If the validation fails, do NOT install the patch. Instead, contact support for help.
A division of Able Solutions Corporation - Vancouver, WA