Hi Andrei,
Just a few questions here regarding the fix:
1. Do we have to apply the fix to other web.configs? (Example: the web.config in the Admin area).
For now, I have only applied the fix to Nop.Web/web.config
2. How do I test the site to know if the fix has been applied properly?
3. Can this fix potentially break anything on the site? (can you point out what they may be?)
Thanks for your time!
Critical security issue fix for all 2.X versions
Team Member
- 16616
- 155915
- 10/22/2008
- Armenia
jamestie wrote:
1. Please read my original post: "Open web.config file in the root of your site"
2. As I've already written I cannot share any issue details. Otherwise, I'll tell how to hack other sites
3. No
Just a few questions here regarding the fix:
1. Do we have to apply the fix to other web.configs? (Example: the web.config in the Admin area).
For now, I have only applied the fix to Nop.Web/web.config
2. How do I test the site to know if the fix has been applied properly?
3. Can this fix potentially break anything on the site? (can you point out what they may be?
1. Do we have to apply the fix to other web.configs? (Example: the web.config in the Admin area).
For now, I have only applied the fix to Nop.Web/web.config
2. How do I test the site to know if the fix has been applied properly?
3. Can this fix potentially break anything on the site? (can you point out what they may be?
1. Please read my original post: "Open web.config file in the root of your site"
2. As I've already written I cannot share any issue details. Otherwise, I'll tell how to hack other sites
3. No
- 34
- 270
- 10/31/2010
- United Kingdom
Hi All,
I have been working on a problem which I asked a question about here. https://www.nopcommerce.com/boards/t/23954/product-secification-attributes-inline-editing-of-options.aspx#98289
Anyway I solved it by doing some JavaScript stuff around the Telerik Grid and DropDownList controls.
One thing I had to do to get the JavaScript working with the telerik controls was to put the Line back into web.config that this thread talks about removing.
I totally agree with not discussing the vulnerability but can I ask if I were to add the Telerik JavaScript libraries manually to would this still be an issue, and would this work (I have not had chance to try that yet).
Thanks for any thoughts.
Paul
I have been working on a problem which I asked a question about here. https://www.nopcommerce.com/boards/t/23954/product-secification-attributes-inline-editing-of-options.aspx#98289
Anyway I solved it by doing some JavaScript stuff around the Telerik Grid and DropDownList controls.
One thing I had to do to get the JavaScript working with the telerik controls was to put the Line back into web.config that this thread talks about removing.
I totally agree with not discussing the vulnerability but can I ask if I were to add the Telerik JavaScript libraries manually to would this still be an issue, and would this work (I have not had chance to try that yet).
Thanks for any thoughts.
Paul
- 38
- 190
- 6/5/2012
- United States
Hi all, the first part of my code looks like below. Has it been fixed already??????????
<add verb="GET,HEAD" path="asset.axd" validate="false" type="Telerik.Web.Mvc.WebAssetHttpHandler, Telerik.Web.Mvc" />
<!--Uncomment the following lines in order to enabled static file caching and compression for IIS 6
<remove verb="GET,HEAD,POST" path="*" />
<add verb="GET,HEAD,POST" path="*" type="Nop.Web.Framework.StaticFileHandler" />-->
<add verb="GET,HEAD" path="asset.axd" validate="false" type="Telerik.Web.Mvc.WebAssetHttpHandler, Telerik.Web.Mvc" />
<!--Uncomment the following lines in order to enabled static file caching and compression for IIS 6
<remove verb="GET,HEAD,POST" path="*" />
<add verb="GET,HEAD,POST" path="*" type="Nop.Web.Framework.StaticFileHandler" />-->
- 38
- 190
- 6/5/2012
- United States
a.m. wrote:
So it's ok to delete only what was described in the first post and leave this part alone? : <!--Uncomment the following lines in order to enabled static file caching and compression for IIS 6 <remove verb="GET,HEAD,POST" path="*" />
<add verb="GET,HEAD" path="asset.axd" validate="false" type="Telerik.Web.Mvc.WebAssetHttpHandler, Telerik.Web.Mvc" />
No, it's not fixed. Please read the first post in this topic
No, it's not fixed. Please read the first post in this topic
So it's ok to delete only what was described in the first post and leave this part alone? : <!--Uncomment the following lines in order to enabled static file caching and compression for IIS 6 <remove verb="GET,HEAD,POST" path="*" />