Symptoms
An update is available for Microsoft Commerce Server 2009 to fix the following issue in Commerce Server 2009.
When you use Commerce Server 2009 sample shopping sites (default site or contemporary site), the HTTP handler redirects the http requests to secure pages and redirects the https requests to nonsecure pages. A cross-site scripting (XSS) may occur during the client-side redirection.
For example, consider the following scenario. A client browser sends the following http request to the Commerce server:
http://<host name>/pages/<securepagename>.aspx?';alert(xss);
The client browser is redirected to the following page after the client-side JavaScript warning is run:
https://<host name>/pages/<securepagename>.aspx?
In this scenario, you experience a cross-site scripting (XSS) issue.
Note This issue also occurs in Commerce Server 2009 Extensibility Kit if you use Commerce Server 2009 Extensibility Kit to customize Commerce Server SharePoint Web Parts.
Resolution
Hotfix information
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:
http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Prerequisites
To apply this hotfix, you must have Microsoft Commerce Server 2009 installed.
Restart requirement
You do not have to restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any other hotfixes.
Post-installation steps
After you extract the hotfix package, you can obtain the following files and a source folder that has the Extensibility Kit and Default Site files:
-
CommerceServer2007SP3-KB2423489-ENU.exe
-
CS2009-KB2423489-x86.exe
-
Hotfix.txt
-
Extensibility Kit
-
Common\HttpModule\SecurePageModule.cs
-
UI\ProfilesSharePoint\Pages\CommerceLoginPage.aspx.cs
-
SharePointCommon\CrossSiteScriptingEncoder.cs
-
SharePointCommon\SharePointCommon.csproj
-
UI\Marketing\HttpHandlers\AdsRedir.ashx
-
Common\Controllers\MarketingController.cs
-
-
Default Site
-
MicrosoftCommerceWSSDefaultSite.wsp\SiteTemplates\WSSCSDefaultSite\ writeReview.aspx
-
MicrosoftCommerceMOSSDefaultSite.WSP\SiteTemplates\MOSSCSDefaultSite\ writeReview.aspx
-
Note You must use the local administrator account when you install this hotfix, or you must run the hotfix by using the Run as Administrator option. If you are running Windows Vista, Windows Server 2008, or a later operating system, and if User Account Control (UAC) is enabled, we recommend that you use the Run as Administrator option.
After you run the installation files, use the method that is described for one of the following scenarios.
Scenario 1
If no sites are deployed, follow these steps:
-
Install the following hotfix installers:
-
CommerceServer2007SP3-KB2423489-ENU.exe
-
CS2009-KB2423489-x86.exe
-
-
Run the IISRESET command.
-
Run the SharePoint Commerce Services Configuration Wizard to deploy the new site by using the following updated files:
-
MicrosoftCommerceWebParts.WSP
-
MicrosoftCommerceWSSDefaultSite.WSP
-
MicrosoftCommerceMOSSDefaultSite.WSP
-
Scenario 2
If some sites are deployed, follow these steps:
-
Install the following hotfix installers:
-
CommerceServer2007SP3-KB2423489-ENU.exe
-
CS2009-KB2423489-x86.exe
-
-
Deploy the updated Web solution package (WSP) file by using the following stsadm command:
stsadm -o upgradesolution -name microsoftcommercewebparts.wsp -filename MicrosoftCommerceWebParts.WSP -immediate -allowgacdeployment
-
Update the writeReview files that are located in the following folder in a typical installation of SharePoint 2007 and of Commerce Server 2009:
-
Microsoft Office SharePoint Server: <system drive>:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\SiteTemplates\MOSSCSDefaultSite
-
Windows SharePoint Services: <system drive>:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\SiteTemplates\WSSCSDefaultSite
-
-
Open SharePoint Designer, and on the File menu, click Open Site. In the Open Site dialog box, select the site that you want to change.
-
Highlight the file that is to be updated in <sitename>\pages\writeReview.aspx, right-click the file name, and then select Reset To Site Definition.
-
After the page that is in the content database is overwritten, click YES to continue.
-
The site displays the new file the next time that the page is loaded from the site.Â
Note If you do not follow the steps that are listed in Scenario2 to update the site, the site displays the old file when you reload it. -
Run the IISRESET command.
Scenario 3
If Web Parts are customized by using the CommerceSharePointExtensibilityKit tool, follow these steps:
-
Install the following hotfix installers:
-
CommerceServer2007SP3-KB2423489-ENU.exe
-
CS2009-KB2423489-x86.exe
-
-
Locate the updated source files in the hotfix package:
-
SecurePageModulecs that is located in Common\HttpModule\SecurePageModule.cs
-
CommerceLoginPage.aspx.cs that is located in UI\ProfilesSharePoint\Pages\CommerceLoginPage.aspx.cs
-
SharepPointCommon. Csproj that is located in SharePointCommon\SharepointCommon\SharePointCommon.csproj
-
AdsRedir.ashx that is located in UI\Marketing\HttpHandlers\AdsRedir.ashx
-
MarketingController.cs that is located in Common\Controllers\MarketingController.cs
-
SiteContext.cs that is located in Common\SiteContext.cs
-
-
If you customized any of these files, you have to merge the highlighted changes in the hotfix copy of the files into the copy that is located in the CommerceSharePointExtensibilityKit folder.
-
Locate the updated source file in the CrossSiteScriptingEncoder.cs folder.
-
Compile the Web Parts assemblies.
-
If the custom site also uses the writeReview.aspx from Commerce Server 2009 default site, you have to follow the steps that are listed in Scenario 2 to change the writeReview.aspx files, and you have to reset to site definition by using SharePoint Designer.
Note The CommerceSharePointExtensibilityKit folder is located in the following path:
<system drive>\Program Files\Microsoft Commerce Server 2007\Microsoft Commerce Server 2009\Sdk\Samples\CommerceSharePointExtensibilityKit.zip
File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
CommerceServer2007SP3-KB2423489-ENU.exe
|
File name |
File version |
File size |
Date |
Time |
Platform |
|---|---|---|---|---|---|
|
Microsoft.commerceserver.catalog.dll |
6.0.4171.29 |
961,336 |
05-Oct-2010 |
14:21 |
x86 |
|
Cs2009hotfixhelper.exe |
6.0.4171.29 |
13,080 |
07-Oct-2010 |
13:45 |
x86 |
|
Microsoft.catalogserver.dll |
6.0.4171.29 |
756,520 |
07-Oct-2010 |
13:45 |
x86 |
|
Microsoft.commerceserver.runtime.dll |
6.0.4171.29 |
850,744 |
07-Oct-2010 |
13:45 |
x86 |
CS2009-KB2423489-x86.exe
|
File name |
File version |
File size |
Date |
Time |
Platform |
|---|---|---|---|---|---|
|
Microsoft.commerce.providers.dll |
1.0.20123.28 |
685,944 |
25-Oct-2010 |
21:28 |
x86 |
|
Microsoftcommercemossdefaultsite.wsp |
Not applicable |
1,396,819 |
25-Oct-2010 |
21:49 |
Not applicable |
|
Microsoftcommercewebparts.wsp |
Not applicable |
699,083 |
25-Oct-2010 |
21:49 |
Not applicable |
|
Microsoftcommercewssdefaultsite.wsp |
Not applicable |
1,462,896 |
25-Oct-2010 |
21:49 |
Not applicable |
source.zip for Extensibility Kit Source files
|
File name |
File version |
File size |
Date |
Time |
Platform |
|---|---|---|---|---|---|
|
Sitecontext.cs |
Not Applicable |
20,778 |
25-Oct-2010 |
10:46 |
Not Applicable |
|
Marketingcontroller.cs |
Not Applicable |
9,652 |
25-Oct-2010 |
10:46 |
Not Applicable |
|
Securepagemodule.cs |
Not Applicable |
8,009 |
25-Oct-2010 |
10:46 |
Not Applicable |
|
Crosssitescriptingencoder.cs |
Not Applicable |
4,507 |
25-Oct-2010 |
10:46 |
Not Applicable |
|
Sharepointcommon.csproj |
Not Applicable |
7,813 |
25-Oct-2010 |
10:46 |
Not Applicable |
|
Adsredir.ashx |
Not Applicable |
1,304 |
25-Oct-2010 |
10:46 |
Not Applicable |
|
Commerceloginpage.aspx.cs |
Not Applicable |
14,694 |
25-Oct-2010 |
10:46 |
Not Applicable |
source.zip for Defaultsite Source files
|
File name |
File version |
File size |
Date |
Time |
Platform |
|---|---|---|---|---|---|
|
MicrosoftCommerceMOSSDefaultSite.WSP\SiteTemplates\MOSSCSDefaultSite\writeReview.aspx |
Not Applicable |
14,280 |
25-Oct-2010 |
09:52 |
Not Applicable |
|
MicrosoftCommerceWSSDefaultSite.wsp\SiteTemplates\WSSCSDefaultSite\writeReview.aspx |
Not Applicable |
16,339 |
25-Oct-2010 |
09:52 |
Not Applicable |
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
References
For more information about extensibility and customization, visit the following Microsoft Developer Network (MSDN) website:
