Gold R10 SR1 - more detail on AC8-2918?

For general questions and discussions specific to the AbleCommerce GOLD ASP.Net shopping cart software.
Post Reply
jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Gold R10 SR1 - more detail on AC8-2918?

Post by jguengerich » Tue Sep 22, 2015 11:57 am

We run a heavily modified R5 site (w/ full source license), which makes it difficult to upgrade, so I try to keep an eye on the change logs for things I should double-check. Because of our modifications and implementation, many of the changes and new features don't affect us. However, I noticed the change log for R10 SR1 lists this item:

AC8-2918 High encryption.config has unprotected hash

Can anyone at AC give a little more detail about what the problem is and what code changes if any are required in the web site or the source code? (I don't have the source yet, but I have requested it as instructed in the SR1 help page).

BTW I already took care of "Security Risk in User.Migrate if admin user forgets to log-out during testing" when it came up on the forums.
Jay

User avatar
Katie
AbleCommerce Admin
AbleCommerce Admin
Posts: 2651
Joined: Tue Dec 02, 2003 1:54 am
Contact:

Re: Gold R10 SR1 - more detail on AC8-2918?

Post by Katie » Tue Sep 22, 2015 12:30 pm

Hi Jay,

Thanks for your inquiry. I think the title of the bug report is somewhat misleading and I'll change it to avoid confusion or any worry.

To explain -

We've increased the protection of the encryption used in the hash file per PCI PA-DSS 3.1 standards. It's a secondary layer of protection using a built in asp.net function to encrypt the hash used in the final encryption of the database data. Your server would already have to be completely violated for someone to get the hash and abuse it.

Please let me know if this explains enough. If not, I can have a developer give some additional information.

Thanks
Katie
Thank you for choosing AbleCommerce!

http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support

jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Re: Gold R10 SR1 - more detail on AC8-2918?

Post by jguengerich » Tue Sep 22, 2015 12:42 pm

So, if I follow the "code trail" starting on /Admin/Store/Security/EncryptionKey.aspx.cs, I should eventually find the change if I compare R5 source code to R10 SR1 source code?
Jay

User avatar
Katie
AbleCommerce Admin
AbleCommerce Admin
Posts: 2651
Joined: Tue Dec 02, 2003 1:54 am
Contact:

Re: Gold R10 SR1 - more detail on AC8-2918?

Post by Katie » Tue Sep 22, 2015 12:55 pm

It looks like all changes for this issue are in the source for the CommerceBuilder.dll

../CommerceBuilder/Configuration/EncryptionKeyManager.cs
Thank you for choosing AbleCommerce!

http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support

User avatar
Shopping Cart Admin
AbleCommerce Admin
AbleCommerce Admin
Posts: 3055
Joined: Mon Dec 01, 2003 8:41 pm
Location: Vancouver, WA
Contact:

Re: Gold R10 SR1 - more detail on AC8-2918?

Post by Shopping Cart Admin » Tue Sep 22, 2015 2:08 pm

BTW I already took care of "Security Risk in User.Migrate if admin user forgets to log-out during testing" when it came up on the forums.
The issue was introduced in R10, so you were good.
Thanks for your support

Shopping Cart Guru
AbleCommerce.com
Follow us on Facebook

jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Re: Gold R10 SR1 - more detail on AC8-2918?

Post by jguengerich » Wed Sep 23, 2015 4:24 am

The issue was introduced in R10, so you were good.
Yeah, but I remember checking it anyway. I may have just put a comment in the code to remind me of the potential for a problem, or I may have implemented the R10 change and the fix.
Jay

Post Reply