Vulnerability in EPiServer.Forms
Subscription functions on our website use the call:
On our production site use of the functions began failing last week with the following stack trace being logged:
[Exception: The method or operation is not implemented.]
EPiServer.Security.WindowsMembershipProvider.GetUserNameByEmail(String email) +46
EPiServer.Security.MultiplexingMembershipProvider.GetUserNameByEmail(String email) +93
System.Web.Security.Membership.GetUserNameByEmail(String emailToMatch) +48
The same code base still functions perfectly on our DEVEL and TEST environments.
Our attempts to fix this have failed. Including: IIS restarts, ASP.Net Temporary folder being cleared, and ensuring that our code base is identical on the DEVEL, TEST and LIVE servers. The logged error seems misleading - surely EPiServer.Security.WindowsMembershipProvider.GetUserNameByEmail is implemented - and it WAS working fine until last week.
Please help with ideas to overcome this problem.
Sorted. Reflecting EPiServer dll does in fact show that GetUserNameByEmail for WindowsMembershipProvider is not implemented - and purposefully throws the MethodNotImplemented exception.
The trace above results from the fact that the membership provider was set to multiplexing. That makes sense. After not finding a sqlServer account with that email, it falls through to windows membership provider.