Get Method of Uninstalled plugin
MVP
認定開発者
- 615
- 6363
- 2015/03/03
- Bangladesh
Look in widgetnivoslider plugin
there is a Get method
Now my nivoslider plugin is uninstalled.
If I hit http://localhost:*****/WidgetsNivoSlider/Hello in the browser, it should not show the content or hit this action result.
But it does. I hope you understand.
there is a Get method
public ActionResult Hello()
{
return Content("Hello");
}
Now my nivoslider plugin is uninstalled.
If I hit http://localhost:*****/WidgetsNivoSlider/Hello in the browser, it should not show the content or hit this action result.
But it does. I hope you understand.
チームメンバー
- 16650
- 156315
- 2008/10/22
- Armenia
sina.islam wrote:
I absolutely don't think it's a real threat because there's no such "Hello" method in NivoSlider
All existing GET methods already have appropriate validation. For example, please have a look \Nop.Plugin.ExternalAuth.Facebook\Controllers\ExternalAuthFacebookController.cs. Its "Login" methods invoke "LoginInternal" one. And this "LoginInternal" method has the following code:
It cannot be invoked when it's uninstalled or inactive. The same logic exists in payment plugins (e.g. "PDTHandler" method of \Nop.Plugin.Payments.PayPalStandard\Controllers\PaymentPayPalStandardController.cs
You can put the same logic to any GET methods of other custom plugins.
Could you please provide names of some existing GET methods in plugins (available out of the box) that could be invoked with GET?
I think it is a real threat for nopcommerce and need to fix ASAP...
I absolutely don't think it's a real threat because there's no such "Hello" method in NivoSlider
All existing GET methods already have appropriate validation. For example, please have a look \Nop.Plugin.ExternalAuth.Facebook\Controllers\ExternalAuthFacebookController.cs. Its "Login" methods invoke "LoginInternal" one. And this "LoginInternal" method has the following code:
var processor = _openAuthenticationService.LoadExternalAuthenticationMethodBySystemName("ExternalAuth.Facebook");
if (processor == null ||
!processor.IsMethodActive(_externalAuthenticationSettings) ||
!processor.PluginDescriptor.Installed ||
!_pluginFinder.AuthenticateStore(processor.PluginDescriptor, _storeContext.CurrentStore.Id))
throw new NopException("Facebook module cannot be loaded");It cannot be invoked when it's uninstalled or inactive. The same logic exists in payment plugins (e.g. "PDTHandler" method of \Nop.Plugin.Payments.PayPalStandard\Controllers\PaymentPayPalStandardController.cs
You can put the same logic to any GET methods of other custom plugins.
Could you please provide names of some existing GET methods in plugins (available out of the box) that could be invoked with GET?
MVP
認定開発者
- 1055
- 8836
- 2015/06/12
- Bangladesh
a.m. wrote:
It was just a example method he shows. There are lots of third party plugins nopCommerce and many of them have no source. If a owner can download and store it in their site but he/she do not install it. If a plugin owner want to get sensitive issue of a site he can easily take information . I don't tell about any plugin made by nopcommerce team. Your plugins are open source and safe. I am telling about third party ones which are no source.
I think it is a real threat for nopcommerce and need to fix ASAP...
I absolutely don't think it's a real threat because there's no such "Hello" method in NivoSlider
All existing GET methods already have appropriate validation. For example, please have a look \Nop.Plugin.ExternalAuth.Facebook\Controllers\ExternalAuthFacebookController.cs. Its "Login" methods invoke "LoginInternal" one. And this "LoginInternal" method has the following code:
It cannot be invoked when it's uninstalled or inactive. The same logic exists in payment plugins (e.g. "PDTHandler" method of \Nop.Plugin.Payments.PayPalStandard\Controllers\PaymentPayPalStandardController.cs
You can put the same logic to any GET methods of other custom plugins.
Could you please provide names of some existing GET methods in plugins (available out of the box) that could be invoked with GET?
I absolutely don't think it's a real threat because there's no such "Hello" method in NivoSlider
All existing GET methods already have appropriate validation. For example, please have a look \Nop.Plugin.ExternalAuth.Facebook\Controllers\ExternalAuthFacebookController.cs. Its "Login" methods invoke "LoginInternal" one. And this "LoginInternal" method has the following code:
var processor = _openAuthenticationService.LoadExternalAuthenticationMethodBySystemName("ExternalAuth.Facebook");
if (processor == null ||
!processor.IsMethodActive(_externalAuthenticationSettings) ||
!processor.PluginDescriptor.Installed ||
!_pluginFinder.AuthenticateStore(processor.PluginDescriptor, _storeContext.CurrentStore.Id))
throw new NopException("Facebook module cannot be loaded");It cannot be invoked when it's uninstalled or inactive. The same logic exists in payment plugins (e.g. "PDTHandler" method of \Nop.Plugin.Payments.PayPalStandard\Controllers\PaymentPayPalStandardController.cs
You can put the same logic to any GET methods of other custom plugins.
Could you please provide names of some existing GET methods in plugins (available out of the box) that could be invoked with GET?
It was just a example method he shows. There are lots of third party plugins nopCommerce and many of them have no source. If a owner can download and store it in their site but he/she do not install it. If a plugin owner want to get sensitive issue of a site he can easily take information . I don't tell about any plugin made by nopcommerce team. Your plugins are open source and safe. I am telling about third party ones which are no source.
MVP
認定開発者
- 1055
- 8836
- 2015/06/12
- Bangladesh
a.m. wrote:
Thanks Andrei for clarifying this issue. The reliability of third party plugin dependence on the developer and the client who use it.
Thanks again.
Hi Sina,
In this case it should be fixed by developers of these plugins. Not sure that there are possible and good way to fix it in the core now
In this case it should be fixed by developers of these plugins. Not sure that there are possible and good way to fix it in the core now
Thanks Andrei for clarifying this issue. The reliability of third party plugin dependence on the developer and the client who use it.
Thanks again.