Page 1 of 1
Gold R10 SR1 - more detail on AC8-2918?
Posted: Tue Sep 22, 2015 11:57 am
by jguengerich
We run a heavily modified R5 site (w/ full source license), which makes it difficult to upgrade, so I try to keep an eye on the change logs for things I should double-check. Because of our modifications and implementation, many of the changes and new features don't affect us. However, I noticed the change log for R10 SR1 lists this item:
AC8-2918 High encryption.config has unprotected hash
Can anyone at AC give a little more detail about what the problem is and what code changes if any are required in the web site or the source code? (I don't have the source yet, but I have requested it as instructed in the SR1 help page).
BTW I already took care of "Security Risk in User.Migrate if admin user forgets to log-out during testing" when it came up on the forums.
Re: Gold R10 SR1 - more detail on AC8-2918?
Posted: Tue Sep 22, 2015 12:30 pm
by Katie
Hi Jay,
Thanks for your inquiry. I think the title of the bug report is somewhat misleading and I'll change it to avoid confusion or any worry.
To explain -
We've increased the protection of the encryption used in the hash file per PCI PA-DSS 3.1 standards. It's a secondary layer of protection using a built in asp.net function to encrypt the hash used in the final encryption of the database data. Your server would already have to be completely violated for someone to get the hash and abuse it.
Please let me know if this explains enough. If not, I can have a developer give some additional information.
Thanks
Katie
Re: Gold R10 SR1 - more detail on AC8-2918?
Posted: Tue Sep 22, 2015 12:42 pm
by jguengerich
So, if I follow the "code trail" starting on /Admin/Store/Security/EncryptionKey.aspx.cs, I should eventually find the change if I compare R5 source code to R10 SR1 source code?
Re: Gold R10 SR1 - more detail on AC8-2918?
Posted: Tue Sep 22, 2015 12:55 pm
by Katie
It looks like all changes for this issue are in the source for the CommerceBuilder.dll
../CommerceBuilder/Configuration/EncryptionKeyManager.cs
Re: Gold R10 SR1 - more detail on AC8-2918?
Posted: Tue Sep 22, 2015 2:08 pm
by Shopping Cart Admin
BTW I already took care of "Security Risk in User.Migrate if admin user forgets to log-out during testing" when it came up on the forums.
The issue was introduced in R10, so you were good.
Re: Gold R10 SR1 - more detail on AC8-2918?
Posted: Wed Sep 23, 2015 4:24 am
by jguengerich
The issue was introduced in R10, so you were good.
Yeah, but I remember checking it anyway. I may have just put a comment in the code to remind me of the potential for a problem, or I may have implemented the R10 change and the fix.