Critical security issue fix for all 2.X versions

As you may know several days ago we released nopCommerce 3.00. In this topic announcement I wrote about a critical security issue fix in all 2.X versions. But seems that a lot of people still did not apply the fix. If you do not want to share your order and customer details with hackers, then please apply the fix as described below (if you're running 2.X version).

The security vulnerability affects all 2.X versions of nopCommerce. We won’t share the issue details because people need a chance to update or fix their installations. The upgrade is HIGHLY recommended. If you don’t have an opportunity to upgrade to version 3.00, then please follow the next steps to fix your 2.X version. Open web.config file in the root of your site and remove the following three lines of code:

<add verb="GET,HEAD" path="asset.axd" validate="false" type="Telerik.Web.Mvc.WebAssetHttpHandler, Telerik.Web.Mvc" />

<remove name="asset" />

<add name="asset" preCondition="integratedMode" verb="GET,HEAD" path="asset.axd" type="Telerik.Web.Mvc.WebAssetHttpHandler, Telerik.Web.Mvc" />

Once it's done it's highly recommended to change your passwords (database, payment gateways, etc).

As you can see it was caused by a third-party library (Telerik MVC Extensions), but we apologize for the inconvenience that this security vulnerability has caused.

Hi Andrei!

I have tried to fix my site by commenting out those lines.  Will commenting them out be enough, or will that not be enough to remove the security threat?  Thanks!

Commenting is also fine

a.m. wrote:

Thanks!  I appreciate you letting me know.

hello,

I am running version 1.9 and I found few lines that looks similar:

one under <httpHandlers>

<add path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" verb="*" validate="false" />

and another under <handlers>

<add name="Telerik_Web_UI_WebResource_axd" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" />

should I leave them intact or should I remove them as well?

1.9 sites are not effected because Telerik is not used in 1.90 out of the box.

I presume this is your custom code. I don't know what it does.

Hi
Thanks for this information, are you in the position to give me more detail understanding of this security issue,
yes I have read
A critical security issue in all nopCommerce 2.x installations!

1 Who discovered the security issue?
2 How does the add on, allow hackers access to nopcommerce back end, or user details?

Peter

PeterJD wrote:
1. It was reported by one of nopCommerce users
2. I won't share the issue details because there are still a lot of sites powered by nopCommerce 2.X without this fix applied

All I can say now is please just apply the fix if you don't want be hacked someday

Hi
Yes I understand this, but what was the security issue?

Kind regards
Peter

Please read my previous post. I cannot share any issue details. I hope you understand.