Vulnerability in EPiServer.Forms
We have finally succeded upgrade to vercion Episerver 7.7 and Commerce 7.7. There was some struggle, but is working now.
We upgraded from 7.0, both Episerver and Commerce. Now the "DisplayName" field every time I change it to NOT support multiple languages, its changes it back in like 20 minutes (cache?).
Its run a storeprocedure "exec mdpsp_sys_MetaFieldAllowMultiLanguage @MetaFieldId=171,@MultiLanguageValue=1" when I reloade the page after 20 min, that makes the field AGAIN Multilanguage support.
Why are this happening?
Do you have the stacktrace of the stored procedure call? Do you map the metafield with a strongly typed property?
I'll note your forum thread to the support ticket you created last week.
Quan: What o you mean about stacktrace? I dont get any error, Commerce just run the procedure. I dont man the metafield with strong type.
How do you know "Commerce just run the procedure"? :) - for stacktrace I mean you might have run a profiler to find out what's running under the hood.
Yes Quan, I run the SQL profiler, and I saw the procedure. I didnt know what happend...
The only place which can possibly call that stored procedure in our code is in MultiLanguageValue property of MetaField itself. Did you make sure that there's nothing in your code call to that property?
Yes offcource, I didnt know about that store procedure.
The first time I saw it, when I trace it with SQL profile.
Is it pocible to run it from a config files?
I'm going to be tricky here: When you see the stored procedure is being called, can you stop SQL Server itself? With the log turned on for both Frontend and backend sites hopefully we will get the stacktrace of calling method.
I understand what you mean...
The thing is, before that SP run (mdpsp_sys_MetaFieldAllowMultiLanguage), runs other SP to authenticate the logged user, and I will not see the tracktrace that the SP it will throw the other SP error.
Or what do you think?
Yeah. We can simply drop that stored procedure, then we will got the exception with the stacktrace of calling method!
Can you do it then post the stacktrace here (or send it to me?)