Β« Changelog History


Reaction Commerce v1.15.2 Release Notes

Release Date: 2018-11-26 // over 5 years ago

  • v1.15.2

    πŸš€ Security Release

    πŸ”§ We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured.

    Overview

    πŸš€ This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.

    Vulnerability

    πŸ”§ | oAuth Service Configuration Publication Vulnerability | | Severity | High | | Description | oAuth social plugin secrets could be shared with unauthenticated users via a publication. | | Affected Installations | Any shops with a configured Facebook appSecret in the Reaction Social dashboard. | | Affected Versions | All versions greater or equal to v0.5.3 | | Remediation | Apply patch or upgrade to patched version of Reaction Commerce. |

    Patches

    πŸš€ Patches are attached to this release.

    πŸ”’ Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.

    πŸ’» Two patch files for removing the UI dependent on software version
    πŸ’» fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
    πŸ’» fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
    πŸ”– Version specific migration patch file for removing the appSecret from the database
    fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
    fb-app-secret-migration-v1.17.0-2018-11-19.patch
    fb-app-secret-migration-v1.16.0-2018-11-19.patch
    fb-app-secret-migration-v1.15.0-2018-11-19.patch
    fb-app-secret-migration-v1.14.0-2018-11-19.patch
    fb-app-secret-migration-v1.13.0-2018-11-19.patch
    fb-app-secret-migration-v1.12.0-2018-11-19.patch
    fb-app-secret-migration-v1.11.0-2018-11-19.patch
    fb-app-secret-migration-v1.10.0-2018-11-19.patch

    Recommendations

    Option 1: Install patched version of Reaction Commerce

    βœ… If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.

    Option 2: Patch it yourself

    βœ‚ Remove Facebook App Secret from social plugin settings

    Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen

    πŸ‘€ Inside of the social settings panel, you will see the settings page for Facebook - if you have an β€œApp Secret” configured in this section, remove it.

    πŸ”’ If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact [email protected] if you need assistance patching your version.

    Patch Reaction Commerce

    🚚 Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.

    βœ… v1.14.0 - latest
    πŸ’» fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch

    v0.14.0 - v1.13.2
    πŸ’» fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch

    πŸ”’ If you’re running a production shop on a version older than v0.14.0, please contact [email protected] for assistance in determining if patching the operator panel is necessary for your version.

    Invalidate Existing Secrets

    If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.

    Generate New Secrets

    If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.