The Solidus Blog
Solidus Conf 2016
Registrations for SolidusConf 2016 are opening soon! SolidusConf will be held on May 11th and 12th, 2016, in the heart of downtown Toronto, Ontario. The centre and the conference hotel are conveniently located on Bloor Street West and provide easy access to the city’s best restaurants.
Susan Aili
Version 1.1.0
Just before Black Friday, a new minor release of Solidus. As this is a minor release, we've done our best to keep compatibility and have added deprecation notices wherever possible.
John Hawthorn
UX Roadmap for the Admin Interface
I'll be working on client sites eventually, but in the meantime I've been getting friendly with the Solidus admin. I already have ideas on improving inconsistent labels, unintuitive interfaces and other future enhancements.
Amanda Healey
The Future of Spree and the Future of Solidus
Spree Commerce, the company that has stood behind Spree OSS over the past years, has announced that it will stop investing in the open-source project and that there currently is no core team.
Solidus Core Team
Spree Admin broken by alerts
Using an old version of Spree? Admin down right now? You're probably encountering an issue with the alert system. In Spree, requests to the admin "phone home" to `alerts.spreecommerce.com`. Due to changes made to that domain in the last day requests to the admin now hang, never returning a response. Fortunately, there's a quick workaround. Add the following to an initializer and restart your app servers. This will disable alerts entirely. ``` # config/initializers/spree.rb Spree.config do |config| config.check_for_spree_alerts = false end ``` I urge Spree Commerce to move this domain to a static, empty s3 bucket to avoid stores having issues. This system was [removed in Solidus](https://github.com/solidusio/solidus/commit/18c4132161ab3ead5a826270a3c3a11c0546670a) shortly after the fork.
John Hawthorn
Information disclosure vulnerability through Ransack searches
We've released Solidus 1.0.1 to address a major security vulnerability.
John Hawthorn
Version 1.0.0
We're happy to announce Solidus 1.0.0, an updated fork of Spree 2.4 spearheaded by the developers at Bonobos and FreeRunning Technologies.
John Hawthorn
Remote Code Execution and File Disclosure Vulnerability
We've discovered another urgent security vulnerability in the Spree/Solidus API. This is limited to attackers who have API access, however on many stores this is any user. We recommend all users upgrade immediately or apply the workaround below: **Versions Affected** - All versions of Spree and Solidus (introduced in Spree 1.2) **Fixed Versions** - [Solidus 1.0.0.pre3](https://github.com/solidusio/solidus/releases/tag/v1.0.0.pre3) ### Impact An attacker with API access is able to execute arbitrary files on the remote system. It is likely that this could be leveraged to gain admin priviledges, disclose the contents of files or execute arbitrary code. We recommend all users upgrade immediately, but this is especially dangerous to stores which provide API access to customers. ### Workarounds If you are unable to upgrade you can work around this vulnerability by adding the following check through an initializer. ``` ruby # config/initializers/security_20150727.rb Spree::Api::TaxonomiesController.before_filter do params[:set] = nil if params[:set] != "nested" end ``` ### Patches We've created the following patch, which should apply to all versions of Solidus and Spree. [https://gist.github.com/jhawthorn/edbfda2c99d821d2f8c9](https://gist.github.com/jhawthorn/edbfda2c99d821d2f8c9) ### Mailing List Following [last week's vulnerability](http://solidus.io/blog/2015/07/17/api-security-vulnerability.html), we've created a mailing list which will be the first place we announce security vulnerabilities. You can subscribe on the google group page [https://groups.google.com/forum/#!forum/solidus-security](https://groups.google.com/forum/#!forum/solidus-security) or by emailing [[email protected]](mailto:[email protected]).
John Hawthorn
Spree API Security Vulnerability
On Friday we came across a serious security vulnerability in the Spree/Solidus API. The effect of this vulnerability is that an attacker is able to access any file on the system. A valid API key is not required to exploit this. All users should patch their servers immediately. We've provided the following monkey patch to remove the vulnerability. This should be put in a initializer, for example: `config/initializers/spree_api_template_security.rb`. ``` ruby module Spree::Api::Responders::RablTemplate def template options[:default_template] end end ``` We also have provided the fix [as a patch](https://gist.github.com/jhawthorn/85e8d707a1b871f11cfd). This affects **all versions** of spree (1.3 and up) and solidus 1.0.0.pre. This has been fixed on the [solidus master](http://github.com/solidusio/solidus) and in [1.0.0.pre2](https://rubygems.org/gems/solidus/versions/1.0.0.pre2). It is likely that this remote file access can be leveraged to execute arbitrary code, and should be treated as such. Servers and databases should be assumed to have been compromised. We recommend everyone replace all security credentials including database passwords, ssh keys, payment gateway credentials, API tokens, and passwords.
John Hawthorn