Posts tagged ‘vulnerability’
The Spree team was recently alerted to several potential security vulnerabilities. If you believe you’ve found a security vulnerability, please do not post publicly about it. Email us at firstname.lastname@example.org and we will investigate and fix the issue as quickly as possible.
Spree Roles Mass-assignment Vulnerability
The first vulnerability reported pertains to a mass-assignment vulnerability with spree roles. By passing the right parameters while updating a user, that user is able to assign any existing role to themselves. This is fixed in the latest release. You are strongly encouraged to upgrade if you are using Spree 1.1.x, 1.2.x or 1.3.×.
Thanks to Laurens Nienhaus of asdfasdf.de, Web Entwicklung for reporting this.
1.2.x, 1.3.x, Edge
If you are using spree_auth_devise, run the following command to update to the latest version:
bundle update spree_auth_devise
It’s recommended that you update to v1.1.6. This release contains the security fix.
JSON Gem Object Creation Vulnerability
The second is related to an Unsafe Object Creation vulnerability found in the JSON gem. This vulnerability potentially affects all versions of Spree that are running an outdated JSON gem.
The problem is not with Spree itself but the json gem upon which it relies. By using the suggested fix below you can ensure you are running a secure version of the json gem.
This is easily fixed by upgrading to the latest version of the JSON gem, which can be done by running the following command:
We have added a hard dependency on JSON to spree_core to ensure that in future versions of Spree you are using an unaffected version of the gem.
Thanks to Steve Root of Roots Kitchens Bedrooms Bathrooms for bringing this to our attention. More info on this vulnerability can be found on the rails-security group.
Unsafe Use of Constantize in Admin
The third vulnerability concerns unsafe reflections in parts of the Spree admin and affects any version of Spree >= 1.0.0. It is possible to instantiate an object of the user’s choice by passing the correct parameters to certain methods. As this vulnerability only pertains to the admin interface, we have not released a new version of Spree with this fix. However, this fix is available on Spree’s master branch as commit 70092eb.
Thanks to Gabriel Quadros of Conviso Application Security for reporting this.
Spree 1.0.x – 1.3.x, Edge
The problem can be addressed by updating to edge Spree. There is no urgent need to upgrade if you are running an affected version as long as your admin users can be trusted to not attempt a complicated technical exploit of this vulnerability.
The Spree team was recently alerted to two potential security vulnerabilities.
The first potential exploit, reported by John Hartzler, would allow a user to request a specially crafted URL and expose arbitrary files on the server. All prior versions of Spree are affected by this issue but it has since been patched in the edge code as well as the brand new Spree 0.50.1 release.
If you are not able to upgrade immediately there is a simple “hot fix” you can code into your site which should work with all prior versions of Spree. You need to create a file named `config/initializers/security_hotfix.rb` in your application and make sure it contains the following code:
ContentController.class_eval do<br />
def show<br />
render :template => params[:path]<br />
The second issue, reported by joernchen of Phenoelit, is a bug in the
rd_searchlogic gem which
would allow malacious users to execute arbitrary remote commands. The
rd_searchlogic gem was forked from the original searchlogic since the original still does not support Rails 3. The forked gem is the most vulnerable but the original searchlogic gem also contains a variation of this exploit.
This affects both the 0.30.x and the 0.40.x versions of Spree. Upgrading
your installation of Spree to 0.50.x is an easy solution to this problem (since we no longer use searchlogic.) If you are unable to upgrade at this time and are not using the search functionality provided by the REST API, then you can drop the following code into a new file titled `config/initializers/searchlogic_hotfix.rb`:
Api::BaseController.class_eval do<br />
def search<br />
return nil<br />
Both of these fixes will require a restart of your production server to take effect.
The Spree team was recently alerted to a potential security vulnerability related to so-called JSON Hijacking. The potential exploit involves using social engineering to induce an administrator who is logged into Spree to visit a web page that contains code designed to exploit the vulnerability. If an authenticated admin loads a page containing this code in their browser it could expose sensitive user and order information via a JSON security exploit.
Most versions of Spree are affected including all versions of 0.11.x and the latest edge code for the upcoming 0.30.×. If you are running on an edge version of Spree, please update to the latest source code which includes these two important fixes.
Anyone using a previously released version of Spree is strongly encouraged to upgrade to the brand new 0.11.2 release. The new 0.11.2 release contains two crucial commits needed to address this vulnerability. The complete set of changes for the 0.11.2 release can be viewed in Github.
This is not a particularly new vulnerability nor is it unique to Spree. There is a very detailed blog post outlining the specifics of JSON Hijacking if you wish to read up on it further.
Special thanks to Conviso Security for reporting the problem to us as well as the team at Locaweb for helping us to test the fix. This was another great example of the OS community working together to report and fix security issues in a timely manner. Remember, if you spot a security issue, please do not report it in a public forum or issue tracker. Send an email to email@example.com so we can address the issue before publicizing the vulnerability.