We run a heavily modified R5 site (w/ full source license), which makes it difficult to upgrade, so I try to keep an eye on the change logs for things I should double-check. Because of our modifications and implementation, many of the changes and new features don't affect us. However, I noticed the change log for R10 SR1 lists this item:
AC8-2918 High encryption.config has unprotected hash
Can anyone at AC give a little more detail about what the problem is and what code changes if any are required in the web site or the source code? (I don't have the source yet, but I have requested it as instructed in the SR1 help page).
BTW I already took care of "Security Risk in User.Migrate if admin user forgets to log-out during testing" when it came up on the forums.
Gold R10 SR1 - more detail on AC8-2918?
-
- Commodore (COMO)
- Posts: 436
- Joined: Tue May 07, 2013 1:59 pm
Re: Gold R10 SR1 - more detail on AC8-2918?
Hi Jay,
Thanks for your inquiry. I think the title of the bug report is somewhat misleading and I'll change it to avoid confusion or any worry.
To explain -
We've increased the protection of the encryption used in the hash file per PCI PA-DSS 3.1 standards. It's a secondary layer of protection using a built in asp.net function to encrypt the hash used in the final encryption of the database data. Your server would already have to be completely violated for someone to get the hash and abuse it.
Please let me know if this explains enough. If not, I can have a developer give some additional information.
Thanks
Katie
Thanks for your inquiry. I think the title of the bug report is somewhat misleading and I'll change it to avoid confusion or any worry.
To explain -
We've increased the protection of the encryption used in the hash file per PCI PA-DSS 3.1 standards. It's a secondary layer of protection using a built in asp.net function to encrypt the hash used in the final encryption of the database data. Your server would already have to be completely violated for someone to get the hash and abuse it.
Please let me know if this explains enough. If not, I can have a developer give some additional information.
Thanks
Katie
Thank you for choosing AbleCommerce!
http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support
http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support
-
- Commodore (COMO)
- Posts: 436
- Joined: Tue May 07, 2013 1:59 pm
Re: Gold R10 SR1 - more detail on AC8-2918?
So, if I follow the "code trail" starting on /Admin/Store/Security/EncryptionKey.aspx.cs, I should eventually find the change if I compare R5 source code to R10 SR1 source code?
Jay
Re: Gold R10 SR1 - more detail on AC8-2918?
It looks like all changes for this issue are in the source for the CommerceBuilder.dll
../CommerceBuilder/Configuration/EncryptionKeyManager.cs
../CommerceBuilder/Configuration/EncryptionKeyManager.cs
Thank you for choosing AbleCommerce!
http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support
http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support
- Shopping Cart Admin
- AbleCommerce Admin
- Posts: 3055
- Joined: Mon Dec 01, 2003 8:41 pm
- Location: Vancouver, WA
- Contact:
Re: Gold R10 SR1 - more detail on AC8-2918?
The issue was introduced in R10, so you were good.BTW I already took care of "Security Risk in User.Migrate if admin user forgets to log-out during testing" when it came up on the forums.
-
- Commodore (COMO)
- Posts: 436
- Joined: Tue May 07, 2013 1:59 pm
Re: Gold R10 SR1 - more detail on AC8-2918?
Yeah, but I remember checking it anyway. I may have just put a comment in the code to remind me of the potential for a problem, or I may have implemented the R10 change and the fix.The issue was introduced in R10, so you were good.
Jay