Remote Code Execution and File Disclosure Vulnerability

John Hawthorn

28 Jul 2015 - 1 min read

We've discovered another urgent security vulnerability in the Spree/Solidus API. This is limited to attackers who have API access, however on many stores this is any user.

We recommend all users upgrade immediately or apply the workaround below:

Versions Affected

All versions of Spree and Solidus (introduced in Spree 1.2)

Fixed Versions

Solidus 1.0.0.pre3

Impact

An attacker with API access is able to execute arbitrary files on the remote system. It is likely that this could be leveraged to gain admin priviledges, disclose the contents of files or execute arbitrary code.

We recommend all users upgrade immediately, but this is especially dangerous to stores which provide API access to customers.

Workarounds

If you are unable to upgrade you can work around this vulnerability by adding the following check through an initializer.

# config/initializers/security_20150727.rb
Spree::Api::TaxonomiesController.before_filter do
  params[:set] = nil if params[:set] != "nested"
end

Patches

We've created the following patch, which should apply to all versions of Solidus and Spree.

https://gist.github.com/jhawthorn/edbfda2c99d821d2f8c9

Mailing List

Following last week's vulnerability, we've created a mailing list which will be the first place we announce security vulnerabilities.

You can subscribe on the google group page https://groups.google.com/forum/#!forum/solidus-security or by emailing [email protected].

Become the brand everyone talks about.

Get Started