Magento 1 Raveinfosys/DeleteOrders Security flaw

[NikoGrano]

Explained in https://xn--gran-8qa.fi/magento-1-raveinfosys-deleteorders-security-flaw/

[mpchadwick]

This doesn't look to be fixed in 1.1.2

// Raveinfosys_Deleteorder_Model_Deleteorder:: _remove
public function _remove($orderId) 
{
    $resource = Mage::getSingleton('core/resource');
    $delete = $resource->getConnection('core_read');
    $orderTable = $resource->getTableName('sales_flat_order_grid');
    $invoiceTable = $resource->getTableName('sales_flat_invoice_grid');
    $shipmentTable = $resource->getTableName('sales_flat_shipment_grid');
    $creditmemoTable = $resource->getTableName('sales_flat_creditmemo_grid');
    $sql = "DELETE FROM  " . $orderTable . " WHERE entity_id = " . $orderId . ";";
    $delete->query($sql);
    $sql = "DELETE FROM  " . $invoiceTable . " WHERE order_id = " . $orderId . ";";
    $delete->query($sql);
    $sql = "DELETE FROM  " . $shipmentTable . " WHERE order_id = " . $orderId . ";";
    $delete->query($sql);
    $sql = "DELETE FROM  " . $creditmemoTable . " WHERE order_id = " . $orderId . ";";
    $delete->query($sql);        
    return true;
}

[NikoGrano]

Lol. Well, I will mark it then 1.1.3 until we get version where the fix has been made

[rhoerr]

Don't tag a version until a version actually exists. If/when they release a fixed 1.1.3 then that's fine, but until then we can't assume anything. Just leave the version blank in the meantime, if you could.

Since it's listed on Marketplace, I've notified them of the vuln.

[NikoGrano]

Done, there is now ,, in place of tag.

[rhoerr]

Looks good to me. Thank you for the contribution.

[rhoerr]

Oh, hold on, you're missing a column for request URI for the attack (for log analysis). That should go after the version. You can leave it blank if unknown, but you should have it from the data available.

[NikoGrano]

Ty for noticing. Information has been added.