Certain e-Business sites may allow a Web User to login without providing a password.
This can occur when all of the following are true:
- Your Web User passwords use the original two-way encryption methoology and not One Way Hash Encryption
- Your login control is missing an update that prevents blank passwords
- Your EBusinessLogin.dll in your e-Business site's Bin folder is not version 5.5.2.100, 5.5.3.100 or 5.5.5.1
Follow these steps to determine if this applies to your site:
- Locate the user name for one of the Web Users on your e-Business site.
- Browse to the login page of the production e-Business site.
- Enter the user name from Step 1 and click the login button (while leaving the password field blank).
If the login is successful, review Hotfix RES-458 and Issue 23315 to update your site to prevent this situation. The hotfix package is ready for download on the Aptify FTP site in the Version50\APTIFY_555 folder. The file name is Hotfix RES-458 for Ebiz on Aptify 5.5.5 and 5.5.6.zip.
For reference, this hotfix package includes the previous Global hotfix release (APTIFY_EBIZ_552_553_ISSUE_23315_GLOBAL_HOTFIX.zip). Here is the original description of the problem from Issue 23315’s hotfix:
Currently in Aptify e-Business 5.5.2 and 5.5.3, there is a situation where an individual may be able to login to an e-Business site with a user account name without providing a password. This problem can occur under the following conditions:
- Your e-Business installation was upgraded from a prior release to e-Business 5.5.2 or 5.5.3.
- Your e-Business installation is not using one way hash encryption for Web Users passwords, but uses the pre-existing two way encryption. (One way hash encryption was introduced in e-Business 5.5.2.)
- Your e-Business Login control was not updated with the changes made to the control between e-Business 5.5.1 and e-Business 5.5.2.
This hotfix provides an updated EbusinessLogin.dll (one for e-Business 5.5.2 and one for e-Business 5.5.3) that explicitly prevents attempts to login with no password under the conditions described above. In addition, this hotfix outlines additional changes to consider for your e-Business installation.
Contact Aptify Support if you have any questions about this alert.
Sitefinity Users: You May Need to Apply the Telerik.Web.UI.dll Patch from September 2017
Date Updated: February 19, 2018
In September 2017, Progress notified Sitefinity license holders of Security vulnerabilities identified in Sitefinity CMS and provided a patch to Telerik.Web.UI.dll to address the vulnerabilities.
If you are using Sitefinity version 5.x to 10.x and have not already applied the update, see this article for details:
Please contact Aptify Support if you have any questions about this update with regard to Aptify e-Business. Otherwise, please contact Sitefinity if you have specific questions about the vulnerabilities.
Security Alert: SQL Injection Vulnerability in Profile Control
Date Updated: February 19, 2018
Aptify has identified a SQL injection vulnerability in the code behind for the baseline Profile control.
The lnkCheckAvailable_Click () function that checks if a username is available when creating a new user account runs a simple SQL query to check the database.
Aptify has made available a hotfix that updates the function to use a parameterized statement instead to prevent a possible SQL injection.
The hotfix includes steps for updating your version of the Profile control to modify the function. This is the preferred approach since many clients have modified the profile control based on their individual site requirements. For reference, the hotfix also includes updated e-Business 5.5.3 baseline versions of the Profile.ascx.vb file for the ASP.NET starter site (in the ASP.NET Profile Control folder) and for the Sitefinity starter site (in the Sitefinity Profile Control folder).
The hotfix is available on the Aptify FTP site in the Version50\eBusiness folder (filename: Hotfix RES-415 for e-Business 5.5.3.zip).