Skip to content

Magento 1 Raveinfosys/DeleteOrders Security flaw #45

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jul 15, 2019
Merged

Magento 1 Raveinfosys/DeleteOrders Security flaw #45

merged 3 commits into from
Jul 15, 2019

Conversation

NikoGrano
Copy link
Contributor

@mpchadwick
Copy link
Collaborator

This doesn't look to be fixed in 1.1.2

// Raveinfosys_Deleteorder_Model_Deleteorder:: _remove
public function _remove($orderId) 
{
    $resource = Mage::getSingleton('core/resource');
    $delete = $resource->getConnection('core_read');
    $orderTable = $resource->getTableName('sales_flat_order_grid');
    $invoiceTable = $resource->getTableName('sales_flat_invoice_grid');
    $shipmentTable = $resource->getTableName('sales_flat_shipment_grid');
    $creditmemoTable = $resource->getTableName('sales_flat_creditmemo_grid');
    $sql = "DELETE FROM  " . $orderTable . " WHERE entity_id = " . $orderId . ";";
    $delete->query($sql);
    $sql = "DELETE FROM  " . $invoiceTable . " WHERE order_id = " . $orderId . ";";
    $delete->query($sql);
    $sql = "DELETE FROM  " . $shipmentTable . " WHERE order_id = " . $orderId . ";";
    $delete->query($sql);
    $sql = "DELETE FROM  " . $creditmemoTable . " WHERE order_id = " . $orderId . ";";
    $delete->query($sql);        
    return true;
}

@NikoGrano
Copy link
Contributor Author

Lol. Well, I will mark it then 1.1.3 until we get version where the fix has been made

@rhoerr
Copy link
Collaborator

rhoerr commented Jul 15, 2019

Don't tag a version until a version actually exists. If/when they release a fixed 1.1.3 then that's fine, but until then we can't assume anything. Just leave the version blank in the meantime, if you could.

Since it's listed on Marketplace, I've notified them of the vuln.

@NikoGrano
Copy link
Contributor Author

Done, there is now ,, in place of tag.

@rhoerr
Copy link
Collaborator

rhoerr commented Jul 15, 2019

Looks good to me. Thank you for the contribution.

@rhoerr
Copy link
Collaborator

rhoerr commented Jul 15, 2019

Oh, hold on, you're missing a column for request URI for the attack (for log analysis). That should go after the version. You can leave it blank if unknown, but you should have it from the data available.

@NikoGrano
Copy link
Contributor Author

Ty for noticing. Information has been added.

@gwillem gwillem merged commit f2ffdb8 into sansecio:master Jul 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants