Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Magento 1 Raveinfosys/DeleteOrders Security flaw #45

Merged
merged 3 commits into from Jul 15, 2019
Merged

Magento 1 Raveinfosys/DeleteOrders Security flaw #45

merged 3 commits into from Jul 15, 2019

Conversation

@NikoGrano
Copy link
Contributor

@NikoGrano NikoGrano commented Jul 15, 2019

Explained in https://xn--gran-8qa.fi/magento-1-raveinfosys-deleteorders-security-flaw/

image

@mpchadwick
Copy link
Collaborator

@mpchadwick mpchadwick commented Jul 15, 2019

This doesn't look to be fixed in 1.1.2

// Raveinfosys_Deleteorder_Model_Deleteorder:: _remove
public function _remove($orderId) 
{
    $resource = Mage::getSingleton('core/resource');
    $delete = $resource->getConnection('core_read');
    $orderTable = $resource->getTableName('sales_flat_order_grid');
    $invoiceTable = $resource->getTableName('sales_flat_invoice_grid');
    $shipmentTable = $resource->getTableName('sales_flat_shipment_grid');
    $creditmemoTable = $resource->getTableName('sales_flat_creditmemo_grid');
    $sql = "DELETE FROM  " . $orderTable . " WHERE entity_id = " . $orderId . ";";
    $delete->query($sql);
    $sql = "DELETE FROM  " . $invoiceTable . " WHERE order_id = " . $orderId . ";";
    $delete->query($sql);
    $sql = "DELETE FROM  " . $shipmentTable . " WHERE order_id = " . $orderId . ";";
    $delete->query($sql);
    $sql = "DELETE FROM  " . $creditmemoTable . " WHERE order_id = " . $orderId . ";";
    $delete->query($sql);        
    return true;
}

Loading

@NikoGrano
Copy link
Contributor Author

@NikoGrano NikoGrano commented Jul 15, 2019

Lol. Well, I will mark it then 1.1.3 until we get version where the fix has been made

Loading

@rhoerr
Copy link
Collaborator

@rhoerr rhoerr commented Jul 15, 2019

Don't tag a version until a version actually exists. If/when they release a fixed 1.1.3 then that's fine, but until then we can't assume anything. Just leave the version blank in the meantime, if you could.

Since it's listed on Marketplace, I've notified them of the vuln.

Loading

@NikoGrano
Copy link
Contributor Author

@NikoGrano NikoGrano commented Jul 15, 2019

Done, there is now ,, in place of tag.

Loading

@rhoerr
Copy link
Collaborator

@rhoerr rhoerr commented Jul 15, 2019

Looks good to me. Thank you for the contribution.

Loading

@rhoerr
Copy link
Collaborator

@rhoerr rhoerr commented Jul 15, 2019

Oh, hold on, you're missing a column for request URI for the attack (for log analysis). That should go after the version. You can leave it blank if unknown, but you should have it from the data available.

Loading

@NikoGrano
Copy link
Contributor Author

@NikoGrano NikoGrano commented Jul 15, 2019

Ty for noticing. Information has been added.

Loading

@gwillem gwillem merged commit f2ffdb8 into sansecio:master Jul 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants