HIGH PRIORITY: Security issue with Scheduled tasks in nopCommerce

3 months ago
Hello NopCommerce Team,

We recently figured out that anyone can execute scheduled tasks from a POST method without any authentication using URL similar to what we provided below:
https://yourStoreUrl.com/scheduletask/runtask?taskType=Nop.Services.Caching.ClearCacheTask, Nop.Services

This is a security risk. In some websites, to get more performance we generally enable setting where we cache things on site start and then we increase cache clear scheduled task timeout but with this open URL, anyone can hit this to reduce website performance.

Also, there are other scheduled tasks that can be called same way which is not good at all.

Any improvements that you are going to make into this in upcoming versions or you suggest us to make changes in existing websites?

Best regards,
Atul
3 months ago
Hi Atul,

There's no any security issue because we validate whether a schedule task should be run or not - https://github.com/nopSolutions/nopCommerce/blob/develop/src/Libraries/Nop.Services/Tasks/Task.cs#L129
3 months ago
Hello Andrei,

Thank you so much. We had looked into that code earlier but now logic is pretty clear.

Best regard's,
Atul