OK, I accept

This site uses cookies. By using this site, you acknowledge and accept this.

Your basket is empty
Login not logged in

Full Knowledgebase Listing

Kartris 1.x 'license file corrupt' after March 2016 Windows updates

[#62] Last update 15 Mar 2016

Following Windows updates in March 2016 'patch Tuesday', web sites based on Kartris v1.x stop running and give an error that the license file is corrupt or missing even though the file has not been changed and nothing else relating to the web site has been changed.

Kartris 1.x versions are not open source, and use a signed XML file as a license (the license.config file in the root of the web). The digital signature contained within the XML file is a cryptographic hash of data contained in the readable XML fields to prevent tampering. Microsoft has patched a security component of .NET relating to the verification of digital signatures in signed XML documents, which appears to have broken this functionality.

The Microsoft security bulletin related to this Windows patch is here:

https://technet.microsoft.com/library/security/MS16-035

The patch itself is KB 3135983.

There is no workaround or fix that we can provide for this; we have tested multiple license files and all seem to suffer the same issue so issuing new licenses won't solve the problem. Without Microsoft providing specific details of the security vulnerability and how to exploit it, it's impossible to identify why their update breaks the license check in Kartris. Even if it was possible, because the license code is built into the Kartris DLL, we'd need to build new DLLs for every Kartris 1.x.

The only practical solution is to remove the MS16-035 patch from your server from within the Windows Update tool and block it from reinstalling. If you don't control your own server (i.e. you are running on shared hosting) then this is not possible and the only realistic option is to upgrade Kartris.

Versions of Kartris from 2.0 onwards are open source and do not have any cryptographic checking of license signatures within the license file (in fact, a license file is not required if running using the free GPL license). Upgrading to the latest version, or any version after Kartris v2.0 will fix this issue.

If you are running a v1.x version of Kartris and have your own server, we strongly recommend you switch to manual Windows updates so you can prevent this patch from installing. But longer term, we'd recommend all stores running v1.x versions upgrade to the latest version to avoid the potential for other issues relating to this older code. The newer open source versions of Kartris are more stable and also easier to patch should any issues occur as individual files or even lines of code can be modified.

Update 1, 2016-03-10: How to identify which version of Kartris you're running

Normally you can find the version of Kartris you're running from the back end. However, this issue will out the back end too. The next best way to determine your version is to run the following query on the database (using MS SQL Management Studio or similar program):

SELECT TOP (10) LS_Name, LS_VersionAdded
FROM tblKartrisLanguageStrings
ORDER BY LS_ID DESC

This lists the most recently added language strings on your database, most recent first. Since language strings are added frequently for new features, the 'Last updated' value in the results should be a very close guide to which version you are running, certainly to within 1 decimal place (e.g. allow you to distinguish if you're running 1.3, 1.4, 2.0, etc.).

Update 2, 2016-03-14: Further overview on the issue and alternative fix

We were tweeted by Anders Abel who reported the security issue that Microsoft fixed, and his blog includes a more detailed explanation of the issue and an alternative solution (although this still requires full server admin permissions, not possible on shared hosting):

https://coding.abel.nu/2016/03/vulnerability-in-net-signedxml/

On a patched system, a CryptograhpicException is thrown with the message “Malformed reference element.”. It is possible to disable the checking and revert to the old unsafe behaviour by adding a DWORD value under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security
named SignedXmlAllowAmbiguousReferenceTargets with value 1.

Powered by kartris