I discovered, that anyone can run a task on a site running NopCommerce 4.3, if he knows the name of the task.
While some tasks may appear to be harmless, other can be very long-running. The attacker can run tasks at a very high speed and make the site very busy and unresponsive.
The problem is in ScheduleTaskController:
[HttpPost]
[IgnoreAntiforgeryToken]
public virtual IActionResult RunTask(string taskType)
{
...
}
Anyone can run tasks by simply posting to /scheduletask/runtask in Nop4.3
团队成员
- 16611
- 155790
- 2008/10/22
- Armenia
That's not true because we make appropriate validation. Please check here.