Vulnerability in EPiServer.Forms
Commerce manager checks throw System.UnauthorizedAccessException exception.
Exception is handled in Global.asax (redirect to Unauthorized.html page)
void Application_Error(object sender, EventArgs e)
Exception ex = Server.GetLastError().GetBaseException();
if (ex != null)
if (typeof(UnauthorizedAccessException) == ex.GetType())
else if (typeof(HttpException) == ex.GetType())
int errorCode = ((HttpException)ex).ErrorCode;
if (errorCode == 500) // consider 500 a fatal exception
// Log the exception
LogManager.GetLogger(GetType()).Fatal("Backend encountered unhandled error.", ex);
// Code that runs when an unhandled error occurs
// Log the exception
LogManager.GetLogger(GetType()).Error("Backend encountered unhandled error.", ex);
The exception that is thrown when the operating system denies access because of an I/O error or a specific type of security error.
<Indexers basePath="[no accessible path]">
[not accessbile path] = path that current user(IIS application domain identity) can't access/read/write
- Go to Commerce Manager->Administration->System Settings->Search index
- Note the message:
That is definetly wrong!
Commecer manager framework should use its' own custom security exception type and catch it to make redirect.
Using of system exceptions leads to total hiding of problem root and does really confuse users/developers!
Sorry for emotion, but I've just spent almost all day investigating the problem.
"Commerce manager checks" stands for "Commerce manager security checks".
Thank you for your input. That's make senses. If the search configuration is not correct, then we should show more meaningful error message. I'll file a bug for this.
Im creating a new module using business foundation object. It working for me to storing data, I can see the list view but when I try to check details vide its throwing me a message for permission.Your account does not have rights to access this feature of the commerce manager. Please contact your system administrator for more information.
"Your account does not have rights to access this feature of the commerce manager. Please contact your system administrator for more information."
But this is woking fine in my local system. I'm getting the message is on production server.
If anyone has any idea please let me know.