cancel
Showing results for 
Search instead for 
Did you mean: 

Code in place of customer name - Is this an attack?

Code in place of customer name - Is this an attack?

Hi all

I recently had an order come through where code had been inserted into the customer first name and second dame.

This code was:

{{var this.getTemplateFilter().filter(foobar)}}{{var this.getTemplateFilter().addAfterFilterCallback(system).filter(cd${IFS%??}/

 

Is this an attempted attack?

What validation does Magento 2.4.3 CE provide to block code injection?

Thank you

Andy

19 REPLIES 19

Re: Code in place of customer name - Is this an attack?

Hi @Andy_Acute 

 

It may be an attack. Make sure that your website is fully patched. Please follow

Security Best Practices Guide also read

https://developer.adobe.com/commerce/php/architecture/basics/security/ 

 

If you are using a custom template for the registration page make sure you are validating and sanitizing the input variables.

 

You can scan your website using Magento Security scanner.

 

Thanks

---
Problem Solved Click Accept as Solution!:Magento Community India Forum

Re: Code in place of customer name - Is this an attack?

Hi @Andy_Acute 

 

This vulnerability CVE-2022-24086 has been patched. You should apply the patch mentioned on this page https://helpx.adobe.com/security/products/magento/apsb22-12.html

 

This will fix the problem for you.

 

Thanks

---
Problem Solved Click Accept as Solution!:Magento Community India Forum

Re: Code in place of customer name - Is this an attack?

Hello I had this same problem earlier this year. I was able to block the ip address & upgraded to 2.4.4. However, today I got an order/confirmation using the same information  The billing address information is fake. The shipping customer name information is:

 

{{var this.getTemplateFilter().filter($order.shipping_address.city)}}{{var this.getTemplateFilter().addAfterFilterCallback($order.shipping_address.last_name).filter($order.shipping_address.city)}} system

 

I also have custom dependent options & they were able to somehow select options that aren't available based on previous options chosen. Any ideas what could be done about it???

 

Thanks in advance for any help.

Re: Code in place of customer name - Is this an attack?

Thank you Mukesh

I followed the patch installation instructions and all went well.

I also confirmed the patches installed by comparing the files and could see the changes.

Many Thanks again for your advise and help.

Andy

Re: Code in place of customer name - Is this an attack?

Hi Mukesh

Running the Magento Security Scanner I see that there is another patch APSB22-38 alert.

https://helpx.adobe.com/uk/security/products/magento/apsb22-38.html

I can't see how I download and install this.

Any Advise?

Thank you

Andy

Re: Code in place of customer name - Is this an attack?

Hi @Andy_Acute 

Please read following article https://community.magento.com/t5/Magento-DevBlog/Introducing-the-New-Security-Patch-Release/ba-p/141...  for information about security only patch.

---
Problem Solved Click Accept as Solution!:Magento Community India Forum

Re: Code in place of customer name - Is this an attack?

Hi Mukesh

Thanks again for your advice.

So reading through the contents of that link, am I right in saying that the latest security patch APSB22-38 is not yet available for the Magento 2.4.3 Open Source version, but will be in a couple of weeks?

If that is correct, how do we get notified of it's availability for Open Source?

Also, the method of Magento versions, functionality and security patches seems overly complex, confusing and convoluted as many other users have expressed.

Thank you again

Andy

Re: Code in place of customer name - Is this an attack?

Hi Mukesh

I'm still not clear on how to apply this patch APSB22-38

Anyone else used this patch?

Thank you

Andy

Re: Code in place of customer name - Is this an attack?

So I found the correct method of upgrading to Magento 2.4.3-p3

I followed this advice but swapped out the require command to 2.4.3-p3

https://www.mageplaza.com/devdocs/upgrade-magento-2.html

 

Don't forget to back up your code and database.

In all, I used:

composer require magento/product-community-edition 2.4.3-p3 --no-update

rm -rf var/view_preprocessed pub/static/frontend

rm -rf var/generatiom

php -dmemory_limit=3G bin/magento setup:upgrade

php -dmemory_limit=4G bin/magento setup:di:compile

php bin/magento indexer:reindex

php bin/magento cache:flush

php bin/magento cache:clean

 

I hope this helps.

Andy