Security Issues for Solution Sites

  • Article

The following security issues pertain specifically to the Solution Sites. For more information about security issues in general, see "Securing Your Site" in Commerce Server 2002 Help.

  • You must place any page you want to have secured using the Secure Socket Layer (SSL) protocol into the secure pages dictionary (MSCSSecurePages). Add secure pages to this dictionary using the GetSecurePagesDictionary function of the include\global_siteconfig_lib.asp file. SSL for the site must be enabled from the Internet Information Services (IIS) snap-in.
  • There is an IIS configuration switch that forces a site to run all of its pages in SSL mode. The Retail site was not built to support running in this mode; nor is it recommended for performance reasons.
  • Page access is controlled through the use of IIS security settings and by the EnsureAccess and EnsureAuthAccess routines, defined in the include\std_access_lib.asp file. For more information, see Page-Level Access Control for Solution Sites.
  • Tickets are property name/value pairs stored in either a cookie (if enabled) or appended to the URL query string (URL mode). A ticket contains a unique ID used for tracking and authenticating a user. If using URL mode, the ticket containing the ID of the user is available from the HTML cache and browser history list. This may be used to impersonate the user and gain access to the account information of the user. For more information about tickets, see User Tracking.
  • The BDRefresh.asp and RefreshApp.asp files allow cache refreshes to be triggered from Commerce Server Business Desk. Clearing either of these caches repeatedly could lead to a denial of service for users. These files must be secured to ensure that only Business Desk users can trigger the refresh of the pages. Secure these files by granting access to specific Business Desk users through the use of IP address access restrictions in IIS. For more information about securing these files, and other files included with the Solution Sites, see Securing BDRefresh.asp, RefreshApp.asp and Opt-Out.asp.
  • The csapp.ini file should be secured by turning off both read and anonymous access to it in IIS. This file should not be secured with NTFS permissions because it needs to be readable under user credentials, such as the IUSR account.
  • Several of the files in the Solution Sites have the file extension ".inc". These files are downloadable and the source is viewable if the files are not properly secured. By default, Commerce Server Site Packager denies download access to the directory in which these file are located. Be sure that this setting is preserved. These files also can be safely renamed with an ".asp" extension.
  • Access to different catalogs can be granted on a user or organization basis. Users are locked out of catalogs not in their catalog set. The catalog set information is stored in the profile of the user or their organization. The GetCatalogForUser function ensures that the user or organization has rights to a specified catalog.
  • The request wrapper functions (GetRequestString and GetRequestStringRange) prevent scripting attacks by stripping double quotes, and opening and closing element tags (< and >) from strings obtained through the Request object.
  • Partner and Customer Service pages use profile property attributes to determine whether different types of users (normal users, delegated administrators, and so on) can read or write the profile properties. For example, a user profile may have a property called "approval limit". You can use the property attributes to designate that normal users cannot edit the property, but delegated administrators can. For more information about setting the attributes, see "Profile Definitions" under "Running the Profiles Resource" in Commerce Server 2002 Help.
  • Credit card information is not stored in a database. The credit card number is passed to a payment pipeline component, which takes full ownership of the number. However, the pipeline component can be changed to explicitly save the credit card number to the order form. (The creditcard number, _cc_number, is not persisted to the database because it is prefixed by the underscore.)

See Also

Page-Level Access Control for Solution Sites

About the Login Feature for Solution Sites

About the Profiles Feature for Solution Sites

About the User Tracking Feature for Solution Sites

Copyright © 2005 Microsoft Corporation.
All rights reserved.