sina.islam wrote:I think it is a real threat for nopcommerce and need to fix ASAP...
I absolutely don't think it's a real threat because there's no such "Hello" method in NivoSlider
All existing GET methods already have appropriate validation. For example, please have a look \Nop.Plugin.ExternalAuth.Facebook\Controllers\ExternalAuthFacebookController.cs. Its "Login" methods invoke "LoginInternal" one. And this "LoginInternal" method has the following code:
var processor = _openAuthenticationService.LoadExternalAuthenticationMethodBySystemName("ExternalAuth.Facebook");
if (processor == null ||
!processor.IsMethodActive(_externalAuthenticationSettings) ||
!processor.PluginDescriptor.Installed ||
!_pluginFinder.AuthenticateStore(processor.PluginDescriptor, _storeContext.CurrentStore.Id))
throw new NopException("Facebook module cannot be loaded");
It cannot be invoked when it's uninstalled or inactive. The same logic exists in payment plugins (e.g. "PDTHandler" method of \Nop.Plugin.Payments.PayPalStandard\Controllers\PaymentPayPalStandardController.cs
You can put the same logic to any GET methods of other custom plugins.
Could you please provide names of some
existing GET methods in plugins (available out of the box) that could be invoked with GET?