Anyone can run tasks by simply posting to /scheduletask/runtask in Nop4.3

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.

Messaggi totali: 3
Karma: 33
Sottoscritto: 11/06/2020
Località: Bulgaria

Inviato: 3 anni tempo fa

I discovered, that anyone can run a task on a site running NopCommerce 4.3, if he knows the name of the task.
While some tasks may appear to be harmless, other can be very long-running. The attacker can run tasks at a very high speed and make the site very busy and unresponsive.

The problem is in ScheduleTaskController:
[HttpPost]
[IgnoreAntiforgeryToken]
public virtual IActionResult RunTask(string taskType)
{
...
}

larsonnm

Officially trained

Messaggi totali: 22
Karma: 130
Sottoscritto: 06/07/2010
Località: United States

Inviato: 2 anni tempo fa

Did you find a resolution to this?

a.m.

Membri del team

Messaggi totali: 16618
Karma: 155935
Sottoscritto: 22/10/2008
Località: Armenia

Inviato: 2 anni tempo fa

That's not true because we make appropriate validation. Please check here.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.

Hai ancora qualche domanda o hai bisogno di aiuto?

. Servizi di supporto premium . Ottieni supporto dedicato dal team di nopCommerce con una risposta garantita entro 24 ore.

. Corso online per sviluppatori . Ottieni le competenze pratiche e tecniche necessarie per gestire e personalizzare i siti web realizzati con nopCommerce.