Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Magento 1 Raveinfosys/DeleteOrders Security flaw #45

Merged
merged 3 commits into from Jul 15, 2019

Conversation

@mpchadwick

This comment has been minimized.

Copy link
Collaborator

commented Jul 15, 2019

This doesn't look to be fixed in 1.1.2

// Raveinfosys_Deleteorder_Model_Deleteorder:: _remove
public function _remove($orderId) 
{
    $resource = Mage::getSingleton('core/resource');
    $delete = $resource->getConnection('core_read');
    $orderTable = $resource->getTableName('sales_flat_order_grid');
    $invoiceTable = $resource->getTableName('sales_flat_invoice_grid');
    $shipmentTable = $resource->getTableName('sales_flat_shipment_grid');
    $creditmemoTable = $resource->getTableName('sales_flat_creditmemo_grid');
    $sql = "DELETE FROM  " . $orderTable . " WHERE entity_id = " . $orderId . ";";
    $delete->query($sql);
    $sql = "DELETE FROM  " . $invoiceTable . " WHERE order_id = " . $orderId . ";";
    $delete->query($sql);
    $sql = "DELETE FROM  " . $shipmentTable . " WHERE order_id = " . $orderId . ";";
    $delete->query($sql);
    $sql = "DELETE FROM  " . $creditmemoTable . " WHERE order_id = " . $orderId . ";";
    $delete->query($sql);        
    return true;
}
@Niko9911

This comment has been minimized.

Copy link
Contributor Author

commented Jul 15, 2019

Lol. Well, I will mark it then 1.1.3 until we get version where the fix has been made

@rhoerr

This comment has been minimized.

Copy link
Collaborator

commented Jul 15, 2019

Don't tag a version until a version actually exists. If/when they release a fixed 1.1.3 then that's fine, but until then we can't assume anything. Just leave the version blank in the meantime, if you could.

Since it's listed on Marketplace, I've notified them of the vuln.

@Niko9911

This comment has been minimized.

Copy link
Contributor Author

commented Jul 15, 2019

Done, there is now ,, in place of tag.

@rhoerr

This comment has been minimized.

Copy link
Collaborator

commented Jul 15, 2019

Looks good to me. Thank you for the contribution.

@rhoerr

This comment has been minimized.

Copy link
Collaborator

commented Jul 15, 2019

Oh, hold on, you're missing a column for request URI for the attack (for log analysis). That should go after the version. You can leave it blank if unknown, but you should have it from the data available.

@Niko9911

This comment has been minimized.

Copy link
Contributor Author

commented Jul 15, 2019

Ty for noticing. Information has been added.

@gwillem gwillem merged commit f2ffdb8 into gwillem:master Jul 15, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.