NEW
Notice something different? Meet the new Solidus brand!

The Solidus Blog

Solidus Conf 2016

Registrations for SolidusConf 2016 are opening soon! SolidusConf will be held on May 11th and 12th, 2016, in the heart of downtown Toronto, Ontario. The centre and the conference hotel are conveniently located on Bloor Street West and provide easy access to the city’s best restaurants.

Read more
SA

Susan Aili

Version 1.1.0

Just before Black Friday, a new minor release of Solidus. As this is a minor release, we've done our best to keep compatibility and have added deprecation notices wherever possible.

Read more
JH

John Hawthorn

UX Roadmap for the Admin Interface

I'll be working on client sites eventually, but in the meantime I've been getting friendly with the Solidus admin. I already have ideas on improving inconsistent labels, unintuitive interfaces and other future enhancements.

Read more
AH

Amanda Healey

The Future of Spree and the Future of Solidus

Spree Commerce, the company that has stood behind Spree OSS over the past years, has announced that it will stop investing in the open-source project and that there currently is no core team.

Read more
Solidus logo

Solidus Core Team

Spree Admin broken by alerts

Using an old version of Spree? Admin down right now? You're probably encountering an issue with the alert system. In Spree, requests to the admin "phone home" to `alerts.spreecommerce.com`. Due to changes made to that domain in the last day requests to the admin now hang, never returning a response. Fortunately, there's a quick workaround. Add the following to an initializer and restart your app servers. This will disable alerts entirely. ``` # config/initializers/spree.rb Spree.config do |config| config.check_for_spree_alerts = false end ``` I urge Spree Commerce to move this domain to a static, empty s3 bucket to avoid stores having issues. This system was [removed in Solidus](https://github.com/solidusio/solidus/commit/18c4132161ab3ead5a826270a3c3a11c0546670a) shortly after the fork.

Read more
JH

John Hawthorn

Information disclosure vulnerability through Ransack searches

We've released Solidus 1.0.1 to address a major security vulnerability.

Read more
JH

John Hawthorn

Version 1.0.0

We're happy to announce Solidus 1.0.0, an updated fork of Spree 2.4 spearheaded by the developers at Bonobos and FreeRunning Technologies.

Read more
JH

John Hawthorn

Remote Code Execution and File Disclosure Vulnerability

We've discovered another urgent security vulnerability in the Spree/Solidus API. This is limited to attackers who have API access, however on many stores this is any user. We recommend all users upgrade immediately or apply the workaround below: **Versions Affected** - All versions of Spree and Solidus (introduced in Spree 1.2) **Fixed Versions** - [Solidus 1.0.0.pre3](https://github.com/solidusio/solidus/releases/tag/v1.0.0.pre3) ### Impact An attacker with API access is able to execute arbitrary files on the remote system. It is likely that this could be leveraged to gain admin priviledges, disclose the contents of files or execute arbitrary code. We recommend all users upgrade immediately, but this is especially dangerous to stores which provide API access to customers. ### Workarounds If you are unable to upgrade you can work around this vulnerability by adding the following check through an initializer. ``` ruby # config/initializers/security_20150727.rb Spree::Api::TaxonomiesController.before_filter do params[:set] = nil if params[:set] != "nested" end ``` ### Patches We've created the following patch, which should apply to all versions of Solidus and Spree. [https://gist.github.com/jhawthorn/edbfda2c99d821d2f8c9](https://gist.github.com/jhawthorn/edbfda2c99d821d2f8c9) ### Mailing List Following [last week's vulnerability](http://solidus.io/blog/2015/07/17/api-security-vulnerability.html), we've created a mailing list which will be the first place we announce security vulnerabilities. You can subscribe on the google group page [https://groups.google.com/forum/#!forum/solidus-security](https://groups.google.com/forum/#!forum/solidus-security) or by emailing [[email protected]](mailto:[email protected]).

Read more
JH

John Hawthorn

Spree API Security Vulnerability

Spree API Security Vulnerability

On Friday we came across a serious security vulnerability in the Spree/Solidus API. The effect of this vulnerability is that an attacker is able to access any file on the system. A valid API key is not required to exploit this. All users should patch their servers immediately. We've provided the following monkey patch to remove the vulnerability. This should be put in a initializer, for example: `config/initializers/spree_api_template_security.rb`. ``` ruby module Spree::Api::Responders::RablTemplate def template options[:default_template] end end ``` We also have provided the fix [as a patch](https://gist.github.com/jhawthorn/85e8d707a1b871f11cfd). This affects **all versions** of spree (1.3 and up) and solidus 1.0.0.pre. This has been fixed on the [solidus master](http://github.com/solidusio/solidus) and in [1.0.0.pre2](https://rubygems.org/gems/solidus/versions/1.0.0.pre2). It is likely that this remote file access can be leveraged to execute arbitrary code, and should be treated as such. Servers and databases should be assumed to have been compromised. We recommend everyone replace all security credentials including database passwords, ssh keys, payment gateway credentials, API tokens, and passwords.

Read more
JH

John Hawthorn