Spree Commerce

Try It Now

Posts tagged ‘security’

Important Security Fix for all Spree 2.x.x Versions

Posted on March 25, 2014 by Ryan Bigg

We have just issued several new versions of Spree that address a critical security vulnerability. A vulnerability in the API was discovered which could allow an attacker to gain the security token for an order. The exploit would require the attacker to randomly guess valid order numbers, but once achieved, the technique would reveal private customer information associated with the order. Credit card details are never stored in Spree and were never at risk by this exploit. Users are advised to perform an immediate upgrade.

We have officially released the following new Spree versions: 2.0.10, 2.1.6, and 2.2.1. These versions also contain several other minor fixes. To see a complete list of changes please view the compare pages:

Tax calculation corrections

Also worth noting is that on the 2-2-stable branch, there have been some minor tweaks to improve the tax calculation there. In certain circumstances, the tax amount that was applied was incorrect. For information about that, please see Issue #4327.

Details on the security patch

We strongly advise everyone to upgrade to the latest version of Spree available for their stores. For example, if you’re running v2.0.9, please upgrade to v2.0.10 immediately.

Alternatively, you can fork Spree to a local `vendor/gems/spree` directory within your application and apply the patch using one of these commands:

  • 2-0-stable: git cherry-pick dc6f3b5b87f31e4f1ce7f8a5ef8378abbb3b16ea
  • 2-1-stable: git cherry-pick 71807994b779fc921d494234aa16b6f081a6c2c4
  • 2-2-stable: git cherry-pick ba4ab90dfb36a8bd25c465f763c977963821102b

Thanks to Michael Nowak from Taktsoft for following security procedures and reporting the issue privately to the security team via the security@spreecommerce.com email. This allowed us to quickly verify the problem and to quickly prepare the necessary security patches for public release.

Future security announcements

Going forward, the best way to ensure you receive all security announcements is to subscribe to the spree security mailing list. The mailing list is very low traffic, and it receives the public notifications the moment the embargo is lifted. Security announcements will also continue to be announced via our blog and social media.

New 1.3, 2.0 and 2.1 releases

Posted on October 16, 2013 by Ryan Bigg

Today we have released new versions of the 1.3.x, 2.0.x and 2.1.x branches of Spree: 1.3.4, 2.0.6 and 2.1.2 respectively. These new releases contain contributions from the community as well as a security fix for the API.

For more information please check out the release notes on GitHub:

Multiple Security Vulnerabilities Fixed

Posted on February 21, 2013 by John Dyer

The Spree team was recently alerted to several potential security vulnerabilities. If you believe you’ve found a security vulnerability, please do not post publicly about it. Email us at security@spreecommerce.com and we will investigate and fix the issue as quickly as possible.

Spree Roles Mass-assignment Vulnerability

The first vulnerability reported pertains to a mass-assignment vulnerability with spree roles. By passing the right parameters while updating a user, that user is able to assign any existing role to themselves. This is fixed in the latest release. You are strongly encouraged to upgrade if you are using Spree 1.1.x, 1.2.x or 1.3.×.

Thanks to Laurens Nienhaus of asdfasdf.de, Web Entwicklung for reporting this.

Versions Affected

1.2.x, 1.3.x, Edge

The Fix

If you are using spree_auth_devise, run the following command to update to the latest version:


bundle update spree_auth_devise

1.1.x

It’s recommended that you update to v1.1.6. This release contains the security fix.

JSON Gem Object Creation Vulnerability

The second is related to an Unsafe Object Creation vulnerability found in the JSON gem. This vulnerability potentially affects all versions of Spree that are running an outdated JSON gem.

Versions Affected

All Versions

The problem is not with Spree itself but the json gem upon which it relies. By using the suggested fix below you can ensure you are running a secure version of the json gem.

The Fix

This is easily fixed by upgrading to the latest version of the JSON gem, which can be done by running the following command:


bundle update json

We have added a hard dependency on JSON to spree_core to ensure that in future versions of Spree you are using an unaffected version of the gem.

Thanks to Steve Root of Roots Kitchens Bedrooms Bathrooms for bringing this to our attention. More info on this vulnerability can be found on the rails-security group.

Unsafe Use of Constantize in Admin

The third vulnerability concerns unsafe reflections in parts of the Spree admin and affects any version of Spree >= 1.0.0. It is possible to instantiate an object of the user’s choice by passing the correct parameters to certain methods. As this vulnerability only pertains to the admin interface, we have not released a new version of Spree with this fix. However, this fix is available on Spree’s master branch as commit 70092eb.

Thanks to Gabriel Quadros of Conviso Application Security for reporting this.

Versions Affected

Spree 1.0.x – 1.3.x, Edge

The Fix

The problem can be addressed by updating to edge Spree. There is no urgent need to upgrade if you are running an affected version as long as your admin users can be trusted to not attempt a complicated technical exploit of this vulnerability.

Exploits found within Core and API

Posted on January 31, 2013 by Ryan Bigg

Please upgrade your Spree stores now to their latest gem versions 1.3.2, 1.2.4, 1.1.5 or 1.0.7.

Thanks to the work of Egor Homakov, we have located and patched two serious exploits within Spree.

The first allows a user to authenticate as a random user to the API, which could
potentially lead them to authenticating as an admin user for the store. The
second allows them to issue a Denial of Service attack against the store using
an especially crafted URL.

We have patched the 1-0-stable, 1-1-stable, 1-2-stable, 1-3-stable and master
branches for Spree, as well as released new gem versions for the stable
branches.

We strongly advise all Spree stores to upgrade to their latest gem versions so
that they are not affected by these exploits.

Spree 1.3.1 and 1.2.3 Released

Posted on January 07, 2013 by Sean Schofield

Last week the Rails team announced a new release which addresses an important security vulnerability. This is a Rails security problem, but since Spree relies on these insecure versions of Rails, all Spree users are advised to upgrade to a more secure version immediately.

Spree 1.3.1

Existing Spree 1.3.0 users should upgrade to the new Spree 1.3.1 release. This release uses the more secure Rails 3.2.10 version and also includes some minor bug fixes unrelated to the security issue. You can review the Github compare for a complete list of changes.

Spree 1.2.3

Existing Spree 1.2.x users should upgrade to the new Spree 1.2.3 release. This release uses the more secure Rails 3.2.10 version and also includes some minor bug fixes unrelated to the security issue. You can review the Github compare for a complete list of changes.

Other Versions of Spree

If you are using Spree versions 1.1.x and older you should consider upgrading to Spree version 1.2.3 or higher. Our current policy is to only maintain the latest two versions of Spree along with the current master.

Upgrading Rails Without Updating Spree

If you’re not ready to update your version of Spree, you may want to consider updating just the version of Rails you’re using. Spree gems will not allow you to use arbitrary versions of Rails (we like to test them first) so you’ll have to do a little hacking if you want to go it alone. To accomplish this you need to work with the source code and checkout from Git using the exact tag of your version of Spree. You can then modify the gemspec to allow a newer version of Rails. Finally, you’ll need to push this change to a fork and modify the Gemfile in your project to point to the fork.

Spree 1.2.2 Released

Posted on November 26, 2012 by Sean Schofield

Spree 1.2.2 has been officially released. The primary purpose of this release is to upgrade to the latest secure version of Rails. Previous versions of Rails 3.2.x have a DoS vulnerability that was fixed in the recent Rails 3.2.9 release. The DoS vulnerability is actually a Ruby security issue as well, so it is recommended that you upgrade your Ruby installation to Ruby 1.9.3.p327 or higher.

There are no new Spree security vulnerabilities addressed in this release – just those mentioned above concerning Ruby/Rails. Please note that earlier last week we issued a flawed Spree 1.2.1 release but that has since been “yanked” (due to a minor glitch) and the fixed version has been released as Spree 1.2.2.

This release also contains a series of minor bug fixes and improvements which you can read more about in the Spree 1.2.2 release notes. As always, this has been a group effort by the outstanding members of our community. This release contained 248 contributions by 44 different authors. You can see the Github compare for full details.

This release does not contain the new admin interface. That functionality is currently available on the master branch and will be released as part of Spree 1.3.0 in early December.

Spree 1.1.4 Released

Posted on November 26, 2012 by Sean Schofield

Spree 1.1.4 has been officially released. The primary purpose of this release is to upgrade to the latest secure version of Rails. Previous versions of Rails 3.2.x have a DoS vulnerability that was fixed in the recent Rails 3.2.9 release. The DoS vulnerability is actually a Ruby security issue as well, so it is recommended that you upgrade your Ruby installation to Ruby 1.9.3.p327 or higher.

There are no new Spree security vulnerabilities addressed in this release – just those mentioned above concerning Ruby/Rails. This release also contains a series of minor bug fixes which you can read more about in the Spree 1.1.4 release notes. You can also see the Github compare for full details.

Due to the upcoming Spree 1.3.0 release, this will be the final patch release of Spree 1.1.×. We encourage you to update to Spree 1.2.x as soon as possible.

Important Security Updates

Posted on July 05, 2012 by Andrew Hooker

We have just released several new versions of Spree which contain important security fixes. A vulnerability exists in Product Scopes that could allow for unauthenticated remote command execution. There is also a potential XSS vulnerability related to the analytics dashboard. Finally, the new releases also upgrade to the latest version of Rails which include additional security fixes which were addressed by the Rails team.

The remote command execution vulnerability is quite serious and affects all versions of Spree. You should upgrade to one of the following secure versions of Spree immediately: 0.11.4, 0.70.6, 1.0.5 or 1.1.2.

Thanks to joernchen from Phenoelit and Michael Bianco from Ascension Press for bringing these issues to our attention.

If you believe you’ve found a security vulnerability, please do not post publicly about it. Email us at security@spreecommerce.com and we will investigate and fix the issue as quickly as possible.

Please consult the following list of scenarios to find out what the recommendations are for your particular version of Spree.

Spree Versions Affected

Edge/Master

The patch has been applied to the repo with the following commits 7f1e5d3 and 3db9a6e . Update to 7f1e5d3 or a more recent one to be protected.

1.1.x

It’s recommended that you update to v1.1.2. This contains the security fix as well as other bug and stability fixes.

See the Github compare view for the full details.

1.0.x

It’s recommended that you update to v1.0.5. This contains the security fix as well as other bug and stability fixes.

0.70.x

It’s recommended that you update to v0.70.6. This release contains only the security fix.

0.20.x – 0.60.x

It’s recommended that you update to v0.70.6. This is a fairly easy upgrade (no major changes in Rails version, etc.) and we cannot continue to support older versions of Spree indefinitely.

0.11.x

It’s recommended that you update to v0.11.4. This release contains only the security fix.

Spree Analytics Extension

If you are using the spree_analytics extension you need to update to 079949fd to receive the most recent security fix. If you are using Spree 1.0.x or greater the analytics is included in Spree and updating to the latest secure Spree version will take care of this for you.

Spree Commitment to Security

The Spree team remains committed to the highest standard of security in it’s software. Spree is used by thousands of stores worldwide and the source code is under constant review by the community. We believe in disclosing all security vulnerabilities to the public in a timely and responsible fashion. Thanks again to joernchen from Phenoelit and Michael Bianco from Ascension Press for working with us while we resolved this issue.

Spree 0.60.6 Released

Posted on March 15, 2012 by Sean Schofield

Spree 0.60.6 has been released. The primary purpose of this release is to address a recently discovered security vulnerability which under certain circumstances allows any authenticated user to read the contents of another user’s order.

Please see the Github compare for a complete list of changes in this release. Due to this issue and other previously announced vulnerabilities you should upgrade to this version of Spree if you are running any version of Spree prior to 0.60.6.

Spree 0.70.5 Released

Posted on March 15, 2012 by Sean Schofield

Spree 0.70.5 has been released. The primary purpose of this release is to address a recently discovered security vulnerability which under certain circumstances allows any authenticated user to read the contents of another user’s order.

Please see the Github compare for a complete list of changes in this release. Due to this issue and other previously announced vulnerabilities you should upgrade to this version of Spree if you are running a previous 0.70.x version of Spree.

Spree 1.0.3 Released

Posted on March 15, 2012 by Sean Schofield

Spree 1.0.3 has been released. The primary purpose of this release is to address a recently discovered security vulnerability which under certain circumstances allows any authenticated user to read the contents of another user’s order.

Please see the Github compare for a complete list of changes in this release. Due to this issue and other previously announced vulnerabilities you should upgrade to this version of Spree if you are running a prior version of Spree 1.0.×.

NOTE: Earlier this week we released Spree 1.0.2 which contained this fix. Before we could write up the release announcement we discovered a newly introduce bug that required a quick follow up release which is now Spree 1.0.3. It is recommended that you update to version 1.0.3 if you are running version 1.0.2 because of this bug but it is not required for security purposes.

Spree 0.70.4 Released

Posted on March 05, 2012 by Sean Schofield

Spree 0.70.4 has been released. The primary purpose of this release is to provide compatibility with the recent Rails 3.1.4 release. Anyone using a prior version of Spree 0.70.x is urged to upgrade immediately due to two different security fixes in Rails discussed here and here.

Please see the Github compare a complete list of changes in this release.

Spree 0.60.5 Released

Posted on March 05, 2012 by Sean Schofield

Spree 0.60.5 has been released. The primary purpose of this release is to provide compatibility with the recent Rails 3.0.12 release. Anyone using a prior version of Spree is urged to upgrade immediately due to two different security fixes in Rails discussed here and here.

Please see the Github compare for a complete list of changes in this release.

Spree 1.0.1 Released

Posted on March 05, 2012 by Sean Schofield

Spree 1.0.1 has been released. The primary purpose of this release is to provide compatibility with the recent Rails 3.1.4 release. Anyone using a prior version of Spree 1.0.x is urged to upgrade immediately due to two different security fixes in Rails discussed here and here.

We have also fixed several issues that have come up since the 1.0.0 release. Please see the Github compare for a complete list of changes in this release.

Important Security Updates (Oct. 2011)

Posted on October 24, 2011 by Sean Schofield

Over the past several weeks there have been several important security updates to Rails as well as Spree. The most recent Spree security announcement describes a critical vulnerability that affects all but the very latest versions of Spree. All affected users are advised to upgrade immediately.

We have also implemented a new mechanism to inform Spree developers and store owners of potential security threats before they are announced on the mailing list. We have created an alerts feature that will perform an automated check against your version of Rails and Spree and inform you of any potential security problems. We believe this feature is so important that we’ve gone back and implemented it for previous versions of Spree as well.

Please consult the following list of scenarios to find out what the recommendations are for your particular version of Spree.

Edge/Master

No action required.

0.70.1

No action required.

0.70.0

Its recommended that you update to 0.70.1. There are no known vulnerabilities with 0.70.0 but version 0.70.1 contains the new security alert mechansim to keep you informed of issues in the future.

0.60.3

It is recommended that you update to 0.60.4. The are no security issues with Spree itself but this version of Spree does use a version of Rails that is considered to be insecure. By updating this verison of Spree you will move to the more secure Rails 3.0.10.

0.60.0 – 0.60.2

It is recommended that you update to 0.60.4. These versions of Spree have a critical vulnerability and they are also using insecure versions of Rails.

0.50.0 – 0.50.3

It is recommended that you update to 0.50.4 at a minimum. This will address a critical vulnerability in Spree but will still leave possible issues with the version of Rails. You should consider updating to Spree 0.60.4 which will also address the Rails security issues by updating you to Rails 3.0.10.

0.40.0 – 0.40.3

It is recommended that you update to 0.40.4 at a minimum. This will address a critical vulnerability in Spree but will still leave possible issues with the version of Rails. You should consider updating to Spree 0.60.4 which will also address the Rails security issues by updating you to Rails 3.0.10.

0.30.0 – 0.30.1

It is recommended that you update to 0.30.2 at a minimum. This will address a critical vulnerability in Spree but will still leave possible issues with the version of Rails. You should consider updating to Spree 0.60.4 which will also address the Rails security issues by updating you to Rails 3.0.10.

0.11.0 – 0.11.2

It is recommended that you update to 0.11.3. This will address a critical vulnerability in Spree and will also address issues with older versions of Rails that contain security problems. After upgrading you will be moved to the more secure Rails 2.3.14.

Versions prior to 0.11.0

Recommended that you update to 0.11.3

Spree 0.60.2 Released (Security Fix)

Posted on October 05, 2011 by Sean Schofield

We have just released Spree 0.60.2 which contains an important security fix. A vulnerability exists in the ProductScope class that could allow for unauthenticated remote command execution. To put it simply, you should either upgrade immediately or add your own custom fix based on this commit.

Special thanks to joernchen of Phenoelit for discovering and reporting the problem through the appropriate channels(which is a private email to security@railsdog.com.) Roman Smirnov (aka romul) provided the necessary fix.

The edge code has also been updated to include this fix. There are also a few other minor issues addressed in this release. See the Github compare view for the full details.

We are currently working on an improved solution for handling the reporting of security issues. We will be announcing a new initiative on this front in the near future.

Security Vulnerabilties - Content Controller & Search Logic

Posted on April 19, 2011 by John Dyer and Sean Schofield

The Spree team was recently alerted to two potential security vulnerabilities.

The first potential exploit, reported by John Hartzler, would allow a user to request a specially crafted URL and expose arbitrary files on the server. All prior versions of Spree are affected by this issue but it has since been patched in the edge code as well as the brand new Spree 0.50.1 release.

If you are not able to upgrade immediately there is a simple “hot fix” you can code into your site which should work with all prior versions of Spree. You need to create a file named `config/initializers/security_hotfix.rb` in your application and make sure it contains the following code:

config/initializers/security_hotfix.rb
ContentController.class_eval do<br />
  def show<br />
    render :template =&gt; params[:path]<br />
  end<br />
end

The second issue, reported by joernchen of Phenoelit, is a bug in the
rd_searchlogic gem which
would allow malacious users to execute arbitrary remote commands. The
rd_searchlogic gem was forked from the original searchlogic since the original still does not support Rails 3. The forked gem is the most vulnerable but the original searchlogic gem also contains a variation of this exploit.

This affects both the 0.30.x and the 0.40.x versions of Spree. Upgrading
your installation of Spree to 0.50.x is an easy solution to this problem (since we no longer use searchlogic.) If you are unable to upgrade at this time and are not using the search functionality provided by the REST API, then you can drop the following code into a new file titled `config/initializers/searchlogic_hotfix.rb`:

config/initializers/searchlogic_hotfix.rb
Api::BaseController.class_eval do<br />
  protected<br />
<br />
  def search<br />
    return nil<br />
  end<br />
end

Both of these fixes will require a restart of your production server to take effect.

Spree 0.40.3 Released

Posted on February 17, 2011 by Sean Schofield

Spree 0.40.3 has been officially released. This is a minor patch release with a few fixes. All users should consider an immediate upgrade due to the recently announced security vulnerability in previous versions of Rails. Spree now requires Rails 3.0.4 which resolves this problem.

We also made an important fix for anyone using payment gateways that do not support a credit card profile (this includes the standard Authorize.net gateway.) If you are developing on a version of Spree 0.30.x with one of these gateways you’ve probably already experienced difficulties submitted the card details to the gateway. Theses issues are solved in version 0.40.3 along with a separate issue related to voids.

If you’re running a version of Spree less than 0.30.0 or if you are using Authoriz.net CIM then you are not affected by this problem (but upgrading is still recommended due to the security fix mentioned above.)

Devise Authentication

Posted on December 21, 2010 by Sean Schofield

The edge code has just been updated to use the new Devise gem for authentication, replacing the previous solution of Authlogic. People who have been following the source code closely will recall that we attempted this switch earlier but backed away from it once we encountered various difficulties. So what made us decide to try again?

The first reason is that we were given assurances from Devise author, Jose Valim, that it would be possible to provide all of the customization options that we would require. The second reason is that we came to realize that the migration to Devise would make it easier to allow authentication via social networking services. Such work is already underway in the new spree_social gem.

We have updated the security guide in the edge documentation to reflect these recent changes as well as some new documentation on the Cancan permissions system that we introduced in the Spree 0.30.x release. Special thanks to John Brien, (Rails Dog’s newest hire), who has been working tirelessly on this effort.

JSON Hijacking Vulnerability

Posted on November 02, 2010 by Sean Schofield

The Spree team was recently alerted to a potential security vulnerability related to so-called JSON Hijacking. The potential exploit involves using social engineering to induce an administrator who is logged into Spree to visit a web page that contains code designed to exploit the vulnerability. If an authenticated admin loads a page containing this code in their browser it could expose sensitive user and order information via a JSON security exploit.

Most versions of Spree are affected including all versions of 0.11.x and the latest edge code for the upcoming 0.30.×. If you are running on an edge version of Spree, please update to the latest source code which includes these two important fixes.

Anyone using a previously released version of Spree is strongly encouraged to upgrade to the brand new 0.11.2 release. The new 0.11.2 release contains two crucial commits needed to address this vulnerability. The complete set of changes for the 0.11.2 release can be viewed in Github.

This is not a particularly new vulnerability nor is it unique to Spree. There is a very detailed blog post outlining the specifics of JSON Hijacking if you wish to read up on it further.

Special thanks to Conviso Security for reporting the problem to us as well as the team at Locaweb for helping us to test the fix. This was another great example of the OS community working together to report and fix security issues in a timely manner. Remember, if you spot a security issue, please do not report it in a public forum or issue tracker. Send an email to security@railsdog.com so we can address the issue before publicizing the vulnerability.

Potential XSS Security Issue in LocaleController

Posted on January 26, 2010 by Sean Schofield

We’ve just patched the edge code to address a potential security hole. The vulnerability also affects prior versions of Spree including the latest 0.9.4 release. The upcoming 1.0.0 release will contain the fix. We will not be issuing a patch release but you can easily address the problem by patching the LocaleController in your site extension as follows:


<p>class LocaleController &lt; ApplicationController</p>
def set
if params[:locale] &amp;&amp; AVAILABLE_LOCALES.include?(params[:locale])
I18n.locale = params[:locale]
session[:locale] = params[:locale]
flash[:notice] = t(&#8220;locale_changed&#8221;)
else
flash[:error] = t(&#8220;locale_not_changed&#8221;)
end
redirect_back_or_default(root_path)
end
<p>end</p>

Special thanks to Alexander Kozliakov for reporting the bug and providing a fix. Please continue to report any suspected security issues to security@railsdog.com.