wubinworks/module-template-filter-patch

Magento 2 patch for CVE-2022-24086, CVE-2022-24087. Fix the RCE vulnerability and related bugs by performing deep template variable escaping. If you cannot upgrade Magento or cannot apply the official patches, try this one.

Maintainers

Details

github.com/wubinworks/magento2-template-filter-patch

Homepage

Source

Issues

Chat

Installs: 2

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 1

Forks: 0

Open Issues: 0

Type:magento2-module

1.0.1 2024-12-22 06:46 UTC

Requires

  • php: >=7.3
  • magento/magento2-base: ~2.4.0

OSL-3.0 b8332c9651e706afee48ba5eb372b58b547e98ba

sanitizeescaperpatchmagento 2email templatecve-2022-24086rcetemplate directivetemplate filterimproper input validationdeep escapelegacyresolvercve-2022-24087

This package is not auto-updated.

Last update: 2024-12-22 07:00:32 UTC

README

Magento 2 patch for CVE-2022-24086, CVE-2022-24087. Fix the RCE vulnerability and related bugs by performing deep template variable escaping. If you cannot upgrade Magento or cannot apply the official patches, try this one.

Wubinworks CVE-2022-24086 CVE-2022-24087 Patch

Background

CVE-2022-24086, CVE-2022-24087 was discovered in the beginning of 2022. For Magento 2.4 releases, all versions <= 2.4.3-p1 are affected by this Remote Code Execution(RCE) vulnerability. 2 official isolated patches were released on February 2022.

However, even in late 2024, we are still receiving consultations regarding this issue and their hacked stores were identified that this vulnerability was exploited. Most observed attacks were performed by inputting a string that contains template directive.

The most typical ways are making use of the checkout process, triggering an email sending with the email containing user controlled fields, etc.

We release this patch due to this widespread attack and some stores still having difficulties to upgrade or apply the 2 official patches.

While making this patch as an extension, we keep compatibility in mind. So it should work on all Magento 2.4 versions.

Features

Template Compatibility

Although the official documentation says "methods can no longer be called from variables from either the var directive or when used as parameters", but as we confirmed, even in the latest version(2.4.7-p3), calling "Getter" method on Data Object and calling getUrl method on Email Template Object(\Magento\Email\Model\AbstractTemplate) are still allowed.

This patch(extension) also keeps the above features. So {{var data_object.something}} and {{var data_object.getSomething()}} are both OK and equivalent.

getUrl example:

{{var this.getUrl($store,'route_id/controller/action',[_query:[param1:$obj.param1,param2:$obj.param2],_nosid:1])}}

In summary, after installing this extension:

  • Objects which are not \Magento\Framework\DataObject or its child instance cannot be accessed
  • Only "Getter" methods are allowed on \Magento\Framework\DataObject and its child instances
  • getUrl method is only working on this

Technical Info

Official Approach

>=2.4.3-p2

Removed LegacyResolver to stop the RCE.

>=2.4.4-p2 || >=2.4.5-p1

Introduced "deferred directive with signature" for child template. We are unsure if it has any security enhancement.

Latest(2.4.7-p3)

Still has an unfixed bug(#39353).

Our Approach

Use "deep template variable escaping" before the template filtering process. LegacyResolver will only receive escaped user data and hence can be kept.

Requirements

Magento 2.4

Installation

composer require wubinworks/module-template-filter-patch

If you like this extension or this extension helped you, please ★star☆ this repository.

You may also like:
Magento 2 patch for CVE-2024-34102(aka CosmicSting)