An update for Commerce Server 2009 is available to fix a potential cross-site scripting (XSS) issue in Commerce Server 2009

Applies to: Commerce Server 2009


An update is available for Microsoft Commerce Server 2009 to fix the following issue in Commerce Server 2009.

When you use Commerce Server 2009 sample shopping sites (default site or contemporary site), the HTTP handler redirects the http requests to secure pages and redirects the https requests to nonsecure pages. A cross-site scripting (XSS) may occur during the client-side redirection.

For example, consider the following scenario. A client browser sends the following http request to the Commerce server:
http://<host name>/pages/<securepagename>.aspx?';alert(xss);

The client browser is redirected to the following page after the client-side JavaScript warning is run:
https://<host name>/pages/<securepagename>.aspx?

In this scenario, you experience a cross-site scripting (XSS) issue.

Note This issue also occurs in Commerce Server 2009 Extensibility Kit if you use Commerce Server 2009 Extensibility Kit to customize Commerce Server SharePoint Web Parts.


Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.


To apply this hotfix, you must have Microsoft Commerce Server 2009 installed.

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

Post-installation steps

After you extract the hotfix package, you can obtain the following files and a source folder that has the Extensibility Kit and Default Site files:
  • CommerceServer2007SP3-KB2423489-ENU.exe
  • CS2009-KB2423489-x86.exe
  • Hotfix.txt
  • Extensibility Kit
    • Common\HttpModule\SecurePageModule.cs
    • UI\ProfilesSharePoint\Pages\CommerceLoginPage.aspx.cs
    • SharePointCommon\CrossSiteScriptingEncoder.cs
    • SharePointCommon\SharePointCommon.csproj
    • UI\Marketing\HttpHandlers\AdsRedir.ashx
    • Common\Controllers\MarketingController.cs
  • Default Site
    • MicrosoftCommerceWSSDefaultSite.wsp\SiteTemplates\WSSCSDefaultSite\ writeReview.aspx
    • MicrosoftCommerceMOSSDefaultSite.WSP\SiteTemplates\MOSSCSDefaultSite\ writeReview.aspx
Note You must use the local administrator account when you install this hotfix, or you must run the hotfix by using the Run as Administrator option. If you are running Windows Vista, Windows Server 2008, or a later operating system, and if User Account Control (UAC) is enabled, we recommend that you use the Run as Administrator option.

After you run the installation files, use the method that is described for one of the following scenarios.

Scenario 1

If no sites are deployed, follow these steps:
  1. Install the following hotfix installers:
    • CommerceServer2007SP3-KB2423489-ENU.exe
    • CS2009-KB2423489-x86.exe
  2. Run the IISRESET command.
  3. Run the SharePoint Commerce Services Configuration Wizard to deploy the new site by using the following updated files:
    • MicrosoftCommerceWebParts.WSP
    • MicrosoftCommerceWSSDefaultSite.WSP
    • MicrosoftCommerceMOSSDefaultSite.WSP
Scenario 2

If some sites are deployed, follow these steps:
  1. Install the following hotfix installers:
    • CommerceServer2007SP3-KB2423489-ENU.exe
    • CS2009-KB2423489-x86.exe
  2. Deploy the updated Web solution package (WSP) file by using the following stsadm command:
    stsadm -o upgradesolution -name microsoftcommercewebparts.wsp -filename MicrosoftCommerceWebParts.WSP -immediate -allowgacdeployment
  3. Update the writeReview files that are located in the following folder in a typical installation of SharePoint 2007 and of Commerce Server 2009:
    • Microsoft Office SharePoint Server: <system drive>:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\SiteTemplates\MOSSCSDefaultSite
    • Windows SharePoint Services: <system drive>:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\SiteTemplates\WSSCSDefaultSite
  4. Open SharePoint Designer, and on the File menu, click Open Site. In the Open Site dialog box, select the site that you want to change.
  5. Highlight the file that is to be updated in <sitename>\pages\writeReview.aspx, right-click the file name, and then select Reset To Site Definition.
  6. After the page that is in the content database is overwritten, click YES to continue.
  7. The site displays the new file the next time that the page is loaded from the site. 

    Note If you do not follow the steps that are listed in Scenario2 to update the site, the site displays the old file when you reload it.
  8. Run the IISRESET command.
Scenario 3

If Web Parts are customized by using the CommerceSharePointExtensibilityKit tool, follow these steps:
  1. Install the following hotfix installers:
    • CommerceServer2007SP3-KB2423489-ENU.exe
    • CS2009-KB2423489-x86.exe
  2. Locate the updated source files in the hotfix package:
    • SecurePageModulecs that is located in Common\HttpModule\SecurePageModule.cs
    • CommerceLoginPage.aspx.cs that is located in UI\ProfilesSharePoint\Pages\CommerceLoginPage.aspx.cs
    • SharepPointCommon. Csproj that is located in SharePointCommon\SharepointCommon\SharePointCommon.csproj
    • AdsRedir.ashx that is located in UI\Marketing\HttpHandlers\AdsRedir.ashx
    • MarketingController.cs that is located in Common\Controllers\MarketingController.cs
    • SiteContext.cs that is located in Common\SiteContext.cs
  3. If you customized any of these files, you have to merge the highlighted changes in the hotfix copy of the files into the copy that is located in the CommerceSharePointExtensibilityKit folder.
  4. Locate the updated source file in the CrossSiteScriptingEncoder.cs folder.
  5. Compile the Web Parts assemblies.
  6. If the custom site also uses the writeReview.aspx from Commerce Server 2009 default site, you have to follow the steps that are listed in Scenario 2 to change the writeReview.aspx files, and you have to reset to site definition by using SharePoint Designer.
Note The CommerceSharePointExtensibilityKit folder is located in the following path:
<system drive>\Program Files\Microsoft Commerce Server 2007\Microsoft Commerce Server 2009\Sdk\Samples\

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
File nameFile versionFile sizeDateTimePlatform

File nameFile versionFile sizeDateTimePlatform
Microsoftcommercemossdefaultsite.wspNot applicable1,396,81925-Oct-201021:49Not applicable
Microsoftcommercewebparts.wspNot applicable699,08325-Oct-201021:49Not applicable
Microsoftcommercewssdefaultsite.wspNot applicable1,462,89625-Oct-201021:49Not applicable for Extensibility Kit Source files
File nameFile versionFile sizeDateTimePlatform
Sitecontext.csNot Applicable20,77825-Oct-201010:46Not Applicable
Marketingcontroller.csNot Applicable9,65225-Oct-201010:46Not Applicable
Securepagemodule.csNot Applicable8,00925-Oct-201010:46Not Applicable
Crosssitescriptingencoder.csNot Applicable4,50725-Oct-201010:46Not Applicable
Sharepointcommon.csprojNot Applicable7,81325-Oct-201010:46Not Applicable
Adsredir.ashxNot Applicable1,30425-Oct-201010:46Not Applicable
Commerceloginpage.aspx.csNot Applicable14,69425-Oct-201010:46Not Applicable for Defaultsite Source files
File nameFile versionFile sizeDateTimePlatform
MicrosoftCommerceMOSSDefaultSite.WSP\SiteTemplates\MOSSCSDefaultSite\writeReview.aspxNot Applicable14,28025-Oct-201009:52Not Applicable
MicrosoftCommerceWSSDefaultSite.wsp\SiteTemplates\WSSCSDefaultSite\writeReview.aspxNot Applicable16,33925-Oct-201009:52Not Applicable


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


For more information about extensibility and customization, visit the following Microsoft Developer Network (MSDN) website: