Thread: Security Update Released

A critical security vulnerability has been identified and corrected in AspDotNetStorefront ML, ML/64, PRO, and Standard versions 7.0.1.3 through 7.0.2.5.

In response, we have released 7.0.2.5 Service Pack 1 as of 05/07/2008 which contains fixes for the vulnerability as well as other functionality updates.

While there are no confirmed reports of the vulnerability being exploited, it is critical that all customers using affected versions of AspDotNetStorefront update to the 7.0.2.5 Service Pack 1 build as soon as possible to ensure their AspDotNetStorefront website continues to operate safely and securely.

Affected Versions:

* AspDotNetStorefront ML v7.0.1.3 – v7.0.2.5
* AspDotNetStorefront ML/64 v7.0.2.5
* AspDotNetStorefront PRO v7.0.2.1
* AspDotNetStorefront STANDARD v7.0.2.1

Customers may download version 7.0.2.5 (which contains the service pack 1 updates) from their MyLicenses page at http://www.aspdotnetstorefront.com/mylicenses.aspx.

Due to the nature of the update, it is not possible to release patches for previous versions of the software.

Customers using heavily customized versions of AspDotNetStorefront should contact our support department at support@aspdotnetstorefront.com or via https://support.aspdotnetstorefront.com. To ensure timely responses, please include your website’s URL and your AspDotNetStorefront order number.

For the protection of our customers, AspDotNetStorefront as a matter of policy and safety does not disclose details regarding any security vulnerability, and any requests for specific details will be not be answered. We appreciate your understanding.

Sincerely,
The AspDotNetStorefront Team

Important notice to customers using versions prior to 7.0

AspDotNetStorefront is no longer releasing updates of any kind for versions of AspDotNetStorefront prior to version 7.0. Versions released prior to version 7.0, released on November 24th, 2006 are not VISA PABP certified, and as such, customers using these older versions may soon be in violation of payment card industry requirements if they do not update their sites to v7.0 releases. It is therefore recommended that customers using versions 6.2 or earlier contact our sales department to discuss upgrade options. Sales can be reached Monday through Friday, 9am - 8pm Eastern Time.

Hi!

Is the vb version that is linked as a download on the products page also the updated, fixed version?
Jo

yes. both C# and VB were updated. thx.

what about all the customers that have modified carts, are they supposed to forced to upgrade and loose customizations?

We are in a situation where we require a patch for 7.20, it has heavy modifications and an upgrade to 7.1 is not something that we can do. What is the best option for other clients in the same situation?

Also if you have the source code agreement can you download the latest version and apply the patch or make a patch yourselves for previous versions.

Customers with mods must apply the security patches into prior versions if needed, if that is what you prefer to do. The other way is to move the mods into v7.1 now also, and sometimes, that's preferred. You will have to decide based on your own knowledge of the mods done, how they were done, etc.

Contact support for instructions.

Alright cool,

so we can apply the secruity update to older versions then

Originally Posted by Alkaline

We are in a situation where we require a patch for 7.20

The patch is for versions listed specifically in the original post.

This is extremely unreasonable. You're saying that if we have modified versions, that we need to contact support. Then support says no, you didn't pay for the source code.

Why can we not get a detailed list of what is being done to OUR software?

The SP1 pdf has a list of 11 changes. Do I really need to delete 5000+ files to fix these? I don't want to delete over 5000 files only to upload 4999 files that are identical with one changed file. Why can't we have a list of the updated files so that we can just copy in the new files?

The readme talks about running scripts on databases as far back as 6.2. Do we NEED to run scripts on the database if we are already running 7.0.2.5?

Is the BuySafe fix (AspDotNetStorefrontGateways.dll) included in the update, or do I need to copy the DLL you sent me over the one in the upgrade?

You had me change code related to shipping. If you want to use FedEx ShipManager to manage FedEx shipments, then it removes the ability for you to process shipments through other carriers (DHL, UPS, USPS...). Is this fix in the upgrade?

And finally, do I need to upgrade at all if I already have 7.0.2.5? If so, why is the update not called 7.0.2.6 or 7.0.2.5.1? The readme, that you say we should read, has no pertinent information to people to anyone running anything earlier than 6.2.

There are a few issues being discussed, so I will attempt to answer them one at a time.

This is extremely unreasonable. You're saying that if we have modified versions, that we need to contact support. Then support says no, you didn't pay for the source code.

If you didn't pay for the source code, and you don't have the source code, modifications to your site will not be affected by the upgrade. The instructions in the provided PDF do explain the process for saving your skins and xmlpackages.

Why can we not get a detailed list of what is being done to OUR software?

You, like most other customers, wouldn't want us to release specific details of the vulnerabilities in question. There are those who for malicious reason would attempt to exploit said vulnerabilities if they knew what they were. We therefore do not release this information.

The readme talks about running scripts on databases as far back as 6.2. Do we NEED to run scripts on the database if we are already running 7.0.2.5?

Yes, you do. Some of the changes are changes to the database.

Is the BuySafe fix (AspDotNetStorefrontGateways.dll) included in the update, or do I need to copy the DLL you sent me over the one in the upgrade

I have no idea what fix you are referring to, but if you would submit a support ticket with that information we should be able to let you know. Chances are it is included, but there is no way to know for sure until I can determine what fix you're referring to.

You had me change code related to shipping. If you want to use FedEx ShipManager to manage FedEx shipments, then it removes the ability for you to process shipments through other carriers (DHL, UPS, USPS...). Is this fix in the upgrade?

Again, if you have no source code I cannot attest to what code you have changed.

And finally, do I need to upgrade at all if I already have 7.0.2.5? If so, why is the update not called 7.0.2.6 or 7.0.2.5.1? The readme, that you say we should read, has no pertinent information to people to anyone running anything earlier than 6.2.

Of course you do not need to upgrade at all. Your software will not self-destruct. However the security issue was critical enough to warrant the company putting out a hotfix to immediately address the issue. To deny this fix would be done at your own risk. This security update was considered a service pack and therefore revisioning was not necessary.

If you feel like this fix is going to screw up your website or storefront, you can always do as the upgrade knowledgebase article suggests. Unpack it to an external folder. Afterwards, you can do a /diff on the files in question, determine exactly which ones have been changed, and only migrate those. Again, without source code, there really isn't a whole lot of "customization" that could be ruined.

Thanks,

I have a store running version 7.0.0.4... Do I need to run this patch??

The patch is specific to versions 7.0.1.3 and higher. However, there have been literally hundreds of changes and enhancements to the software since 7.0.0.4, and you should highly consider upgrading if you can do it.

Well,

My upgrade license has expired, but the client really likes the 7.0.0.4 release... it is very stable and works fine for them (never had any complaints). There shop has been running without any issues for over a year (at least).

The next shopping cart site I do, I will purchase the latest version... I just wanted to make sure that my client didn't need to be patched... thanks for the quick response.