You are here: Release Notes > 1.36 Release Notes

Online Business Center 1.36 Release Notes

Release Date: Saturday, January 21, 2017

Release Number: 1.36


Fixed Issues

Corrected Auto-Response Emails

When clubs use the Online Business Center to create credentials for the Club Reporting System, the system sends two automated email responses to the user:

  1. The first email shows the user's name and the user's ID.
  2. The second email shows the user's name and the password.

After checking their inbox and junk mail folders, some club administrators were not receiving the registration emails.

This issue is corrected.

 

Corrected WhiteHat Security Vulnerabilities

Vulnerability ID 50637714

The Online Business Center allows club administrators to re-order membership agreements and membership card/key tags.

Previously, using interception techniques, attackers could potentially manipulate pricing parameters during the re-order process. For example, the attacker could set all prices equal to $0.00 before submitting the order.

This vulnerability is corrected.

 

Vulnerability ID 50637715

On the Daily Web Transaction Report page, club administrators can generate a customized and detailed report of all account changes performed in the web interface.

Previously, by manipulating the Change Type parameter, attackers could potentially inject and execute malicious JavaScript code.

This vulnerability is corrected.

 

Vulnerability ID 50637718

Club administrators may enable or disable various user permissions on the Club Login Management page. Regardless of the user level, only users who have been granted access to the Club Login Management page may change user profile information and permissions.

Previously, if a level four user did not have access to the Club Login Management page and clicked Submit on the User Profile page (shown below), with or without making form changes, the system granted the user access to the Club Login Management page.

Although users with access to Club Login Management may only view and manage users having a level lower than their own, level four users with malicious intent could manipulate or remove level 1, 2, or 3 user profiles.

This vulnerability is corrected. Regardless of user level, the system does not automatically grant Club Login Management access to any user.