The Solidus Blog

We've discovered another urgent security vulnerability in the Spree/Solidus API. This is limited to attackers who have API access, however on many stores this is any user. We recommend all users upgrade immediately or apply the workaround below: **Versions Affected** - All versions of Spree and Solidus (introduced in Spree 1.2) **Fixed Versions** - [Solidus 1.0.0.pre3](https://github.com/solidusio/solidus/releases/tag/v1.0.0.pre3) ### Impact An attacker with API access is able to execute arbitrary files on the remote system. It is likely that this could be leveraged to gain admin priviledges, disclose the contents of files or execute arbitrary code. We recommend all users upgrade immediately, but this is especially dangerous to stores which provide API access to customers. ### Workarounds If you are unable to upgrade you can work around this vulnerability by adding the following check through an initializer. ``` ruby # config/initializers/security_20150727.rb Spree::Api::TaxonomiesController.before_filter do params[:set] = nil if params[:set] != "nested" end ``` ### Patches We've created the following patch, which should apply to all versions of Solidus and Spree. [https://gist.github.com/jhawthorn/edbfda2c99d821d2f8c9](https://gist.github.com/jhawthorn/edbfda2c99d821d2f8c9) ### Mailing List Following [last week's vulnerability](http://solidus.io/blog/2015/07/17/api-security-vulnerability.html), we've created a mailing list which will be the first place we announce security vulnerabilities. You can subscribe on the google group page [https://groups.google.com/forum/#!forum/solidus-security](https://groups.google.com/forum/#!forum/solidus-security) or by emailing [[email protected]](mailto:[email protected]).

On Friday we came across a serious security vulnerability in the Spree/Solidus API. The effect of this vulnerability is that an attacker is able to access any file on the system. A valid API key is not required to exploit this. All users should patch their servers immediately. We've provided the following monkey patch to remove the vulnerability. This should be put in a initializer, for example: `config/initializers/spree_api_template_security.rb`. ``` ruby module Spree::Api::Responders::RablTemplate def template options[:default_template] end end ``` We also have provided the fix [as a patch](https://gist.github.com/jhawthorn/85e8d707a1b871f11cfd). This affects **all versions** of spree (1.3 and up) and solidus 1.0.0.pre. This has been fixed on the [solidus master](http://github.com/solidusio/solidus) and in [1.0.0.pre2](https://rubygems.org/gems/solidus/versions/1.0.0.pre2). It is likely that this remote file access can be leveraged to execute arbitrary code, and should be treated as such. Servers and databases should be assumed to have been compromised. We recommend everyone replace all security credentials including database passwords, ssh keys, payment gateway credentials, API tokens, and passwords.