We've discovered another urgent security vulnerability in the Spree/Solidus API. This is limited to attackers who have API access, however on many stores this is any user.
We recommend all users upgrade immediately or apply the workaround below
- Versions Affected
- All versions of Spree and Solidus (introduced in Spree 1.2)
- Fixed Versions
- Solidus 1.0.0.pre3
Impact
An attacker with API access is able to execute arbitrary files on the remote system. It is likely that this could be leveraged to gain admin priviledges, disclose the contents of files or execute arbitrary code.
We recommend all users upgrade immediately, but this is especially dangerous to stores which provide API access to customers.
Workarounds
If you are unable to upgrade you can work around this vulnerability by adding the following check through an initializer.
# config/initializers/security_20150727.rb
Spree::Api::TaxonomiesController.before_filter do
params[:set] = nil if params[:set] != "nested"
end
Patches
We've created the following patch, which should apply to all versions of Solidus and Spree.
https://gist.github.com/jhawthorn/edbfda2c99d821d2f8c9
Mailing List
Following last week's vulnerability, we've created a mailing list which will be the first place we announce security vulnerabilities.
You can subscribe on the google group page
https://groups.google.com/forum/#!forum/solidus-security
or by emailing solidus-security+subscribe@googlegroups.com.