Security Bulletin - 20160912

Executive Summary

This security bulletin resolves vulnerabilities in Hotcakes software.  The most severe of the vulnerabilities could allow an unauthorized user to view and change store configuration information, including payment gateways.

Affected Software & Vulnerability Ratings

The following supported versions of Hotcakes were found to be affected by this vulnerability:

  • 01.10.03
  • 02.00.00
  • 02.00.01
  • 02.00.02
Description Version(s) Severity
Setup Wizard Access - An unauthorized user could potentially directly access the "getting started" or "setup wizard," allowing them to view and change store configuration information, including: store address, time zone, tax tables, shipping methods, shipping zones, and payment gateways/methods. All High
Version Information - As a result of the other vulnerabilities in this bulletin, unauthorized users could determine the version number of the Hotcakes software. All Medium
Dashboard Access - An unauthorized user could potentially directly access the store dashboard.  Dashboard sales data would be shown, but no other actions could be taken at this view. 2.xx Only Medium
File Vault Access - An unauthorized user could potentially access the file vault in a way that allows files associated to products to be deleted from the store. 1.xx Only Medium
Dashboard Access - An unauthorized user could potentially directly access the store dashboard.  All available links are unusable, and dashboard data is not rendered. 1.xx Only Low

Resolution & Workarounds

In order to prevent any potential issues that could arise from this vulnerability, Hotcakes should be upgraded to version 01.10.04 or 02.00.03 as soon as possible.

In addition to upgrading the software, the following actions should be taken:

All Versions

  • Review the settings for the store logo, name, address, geo-location, and the page locations for the category, product, and checkout pages to ensure the values haven't changed.
  • Review the settings for all enabled/disabled payment gateways/methods to ensure the values haven't changed.
  • Update and/or replace the API keys or other connection information for all payment gateway/methods by refreshing/updating that information from the respective vendor.
  • Review the settings for any shipping methods to ensure the values haven't changed.
  • Update and/or replace the API keys or other connection information for any shipping methods by refreshing/updating that information from the respective vendor.
  • Review shipping zones for accuracy.
  • Review tax tables for accuracy.

Version 1.xx

  • Review the file vault to ensure that no files have been deleted.

Acknowledgements

We'd like to thanks the customers and partners who came forward quickly with the details of this security threat.

Disclaimer

In addition the terms and conditions outlined in our EULA/SLA:

The information provided in the Hotcakes Commerce, LLC (HOTCAKES) knowledge base is provided “as is” without warranty of any kind. HOTCAKES disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall HOTCAKES or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if HOTCAKES or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Support, Questions, Concerns

The comments here are closed to help protect the nature and identity of those who may be affected by this security bulletin.  If you need to know more, please feel free to create a support request using the link above.

Have more questions? Submit a request

Need More Help?

Do you need more assistance with this article? Please review your support options.