A critical security issue in all nopCommerce 2.x installations!

You might already be aware that nopCommerce recently announced a critical security issue affecting all nopCommerce 2.x installations.

We would like to stress the importance of this issue. All nopCommerce 2.x installation run the risk of having their customers and order information exposed.

We would not disclose the issue as it will contribute to the risk of having live nopCommerce 2.x shops hacked. It is related to a third party library used by nopCommerce and produced by a big software vendor, who have already been notified of the issue. However everyone running nopCommerce 2.x should apply the following fix to their website.

1. Open the Web.config file located in the root of your nopCommerce website.

2. Remove the following three lines of code:

<add verb="GET,HEAD" path="asset.axd" validate="false" type="Telerik.Web.Mvc.WebAssetHttpHandler, Telerik.Web.Mvc" />

<remove name="asset" />

<add name="asset" preCondition="integratedMode" verb="GET,HEAD" path="asset.axd" type="Telerik.Web.Mvc.WebAssetHttpHandler, Telerik.Web.Mvc" />

3. Once this is done, change your password to the database as well as any payment provider credentials you might be using.

Again we would like to stress that this is a very important issue, which makes hacking your nopCommerce 2.x website extremely easy.

Please do take notice and apply the fix, which should not take you more than a few minutes.

Any issues you might have with this, do let us or the nopCommerce team know!