Spree Commerce

Try It Now

Security Fix for all Spree Versions

Posted on July 28, 2015 by Jeff Dutil

We have just issued several new versions of Spree that address a critical security vulnerability present in all versions of Spree 1.2.x+.

An attacker with API access is able to execute arbitrary files on the remote system. It is likely that this could be leveraged to gain admin priviledges, disclose the contents of files or execute arbitrary code.

We recommend all users upgrade immediately, but this is especially dangerous to stores which provide API access to customers.

If you are unable or unwilling to upgrade you can monkey patch your Spree application with an initializer config/initializers/security_20150728.rb as a quick workaround:

Spree::Api::TaxonomiesController.before_filter do
  params[:set] = nil if params[:set] != "nested"
end

If using an unsupported version, such as, 1.2.x, 1.3.x, 2.0.x or 2.1.x you should use the above initializer as a workaround.

Previous security releases

If you have not already read about and patched last weeks security release it’s urgent you immediately upgrade to these latest releases or patch the previous security vulnerability as well. While this current security issue does require a valid API key the previous security issue does not making all un-patched Spree stores vulnerable.

Credit

Thanks to John Hawthorn again from Free Running Tech for reporting the issue privately after his recent security audit via the security@spreecommerce.com email. This allowed us to verify the problem and prepare the necessary security patches for public release.

Full Changes

To see a complete list of changes please view the compare pages: