Hello NopCommerce Team,
We recently figured out that anyone can execute scheduled tasks from a POST method without any authentication using URL similar to what we provided below:
https://yourStoreUrl.com/scheduletask/runtask?taskType=Nop.Services.Caching.ClearCacheTask, Nop.Services
This is a security risk. In some websites, to get more performance we generally enable setting where we cache things on site start and then we increase cache clear scheduled task timeout but with this open URL, anyone can hit this to reduce website performance.
Also, there are other scheduled tasks that can be called same way which is not good at all.
Any improvements that you are going to make into this in upcoming versions or you suggest us to make changes in existing websites?
Best regards,
Atul
HIGH PRIORITY: Security issue with Scheduled tasks in nopCommerce
Teammitglied
- 16611
- 155790
- 22.10.2008
- Armenia
Hi Atul,
There's no any security issue because we validate whether a schedule task should be run or not - https://github.com/nopSolutions/nopCommerce/blob/develop/src/Libraries/Nop.Services/Tasks/Task.cs#L129
There's no any security issue because we validate whether a schedule task should be run or not - https://github.com/nopSolutions/nopCommerce/blob/develop/src/Libraries/Nop.Services/Tasks/Task.cs#L129